Very fun read!
The immediate fix for this seems pretty easy, and it’s possible that it doesn’t require any additional app code. Assuming you forked something like webpack-hot-client:
1. create a secret, set it as a webpack global variable.

2. on the client, use the secret as the websocket protocol.

3. on the server, only accept requests using said protocol.

The problem is webpack-hot-client, despite being used by basically everyone, is essentially abandonware 😖.