diff --git a/SVSim.BattleNode/Hosting/BattleNodeWebSocketHandler.cs b/SVSim.BattleNode/Hosting/BattleNodeWebSocketHandler.cs
index 1a2d27a..1aa29dc 100644
--- a/SVSim.BattleNode/Hosting/BattleNodeWebSocketHandler.cs
+++ b/SVSim.BattleNode/Hosting/BattleNodeWebSocketHandler.cs
@@ -54,9 +54,20 @@ public sealed class BattleNodeWebSocketHandler
         }
 
         var pending = _store.TryGetPending(battleId);
-        if (pending is null || pending.ViewerId != viewerId)
+        if (pending is null)
         {
-            _log.LogWarning("Unknown battle/viewer pair: {Bid}/{Vid}", battleId, viewerId);
+            _log.LogWarning(
+                "WS upgrade for unknown BattleId={Bid} (decrypted viewerId={Vid}). " +
+                "Bridge may not have minted this battle, or it was already consumed/expired.",
+                battleId, viewerId);
+            ctx.Response.StatusCode = StatusCodes.Status400BadRequest;
+            return;
+        }
+        if (pending.ViewerId != viewerId)
+        {
+            _log.LogWarning(
+                "WS upgrade viewer-id mismatch on BattleId={Bid}: bridge expected={Expected}, decrypted={Got}.",
+                battleId, pending.ViewerId, viewerId);
             ctx.Response.StatusCode = StatusCodes.Status400BadRequest;
             return;
         }
diff --git a/SVSim.EmulatedEntrypoint/Security/SteamSessionAuthentication/SteamSessionAuthenticationHandler.cs b/SVSim.EmulatedEntrypoint/Security/SteamSessionAuthentication/SteamSessionAuthenticationHandler.cs
index 485bf25..431f6c4 100644
--- a/SVSim.EmulatedEntrypoint/Security/SteamSessionAuthentication/SteamSessionAuthenticationHandler.cs
+++ b/SVSim.EmulatedEntrypoint/Security/SteamSessionAuthentication/SteamSessionAuthenticationHandler.cs
@@ -37,10 +37,14 @@ public class SteamSessionAuthenticationHandler : AuthenticationHandler<SteamAuth
         string path = Request.Path;
         // WebSocket upgrades carry no body — Request.Body.Seek throws NotSupportedException
         // on Kestrel's HttpRequestStream. The battle node has its own per-connection auth
-        // (encrypted viewerId query/header validated against the matched battle id), so the
+        // (encrypted viewerId header validated against the matched battle id), so the
         // Steam handler has nothing to do here. Returning NoResult lets the request proceed
         // unauthenticated to the WS endpoint.
-        if (Context.WebSockets.IsWebSocketRequest)
+        // Header-based detection: Context.WebSockets.IsWebSocketRequest needs UseWebSockets()
+        // to have already run, but UseBattleNode (which calls UseWebSockets) is registered
+        // AFTER UseAuthentication in Program.cs. Reading the raw Upgrade header works
+        // regardless of middleware order.
+        if (string.Equals(Request.Headers["Upgrade"].ToString(), "websocket", StringComparison.OrdinalIgnoreCase))
         {
             return AuthenticateResult.NoResult();
         }