diff --git a/pkg/globalmanager/messagelayer/ws/server.go b/pkg/globalmanager/messagelayer/ws/server.go
index ae54c8988..c97d3ee52 100644
--- a/pkg/globalmanager/messagelayer/ws/server.go
+++ b/pkg/globalmanager/messagelayer/ws/server.go
@@ -17,8 +17,11 @@ limitations under the License.
 package ws
 
 import (
+	"fmt"
 	"net/http"
+	"strings"
 
+	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/klog/v2"
 
 	"github.com/gorilla/websocket"
@@ -56,8 +59,23 @@ func (srv *Server) upgrade(w http.ResponseWriter, r *http.Request) *websocket.Co
 	return conn
 }
 
+func validateNodeName(nodeName string) (err error) {
+
+	errs := validation.IsDNS1123Subdomain(nodeName)
+	if len(errs) > 0 {
+		err = fmt.Errorf("invalid node name: %s", strings.Join(errs, ","))
+	}
+	return
+}
+
 func (srv *Server) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	nodeName := req.Header.Get("Node-Name")
+
+	err := validateNodeName(nodeName)
+	if err != nil {
+		klog.Warningf("closing the connection, due to: %v", err)
+		return
+	}
 	wsConn := srv.upgrade(w, req)
 	if wsConn == nil {
 		klog.Errorf("failed to upgrade to websocket for node %s", nodeName)
@@ -65,7 +83,7 @@ func (srv *Server) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	}
 
 	// serve connection
-	nodeClient := &nodeClient{conn: wsConn, req: req}
+	nodeClient := &nodeClient{conn: wsConn, req: req, nodeName: nodeName}
 	go nodeClient.Serve()
 }
 
@@ -104,8 +122,8 @@ func (nc *nodeClient) writeOneMsg(msg model.Message) error {
 }
 
 func (nc *nodeClient) Serve() {
-	nodeName := nc.req.Header.Get("Node-Name")
-	nc.nodeName = nodeName
+
+	nodeName := nc.nodeName
 	klog.Infof("established connection for node %s", nodeName)
 	// nc.conn.SetCloseHandler
 	closeCh := make(chan struct{}, 2)