Prevent Cross-site WebSocket hijacking with a custom header and no CORS


Considering I am vulnerable to Cross-site WebSocket hijacking, so my WebSocket handshake (GET to example.com/wss) does not require a random (CSRF) token.

I have defined no CORS settings, so no custom headers can be added to cross-site requests.

Would it theoretically be enough to add a static custom request header, that is required for the WebSocket handshake to prevent a Cross-site WebSocket hijacking?