diff --git a/deployments/common/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/deployments/common/crds/appprotectdos.f5.com_dosprotectedresources.yaml
index 66214fc838..cda76ccd25 100644
--- a/deployments/common/crds/appprotectdos.f5.com_dosprotectedresources.yaml
+++ b/deployments/common/crds/appprotectdos.f5.com_dosprotectedresources.yaml
@@ -39,12 +39,13 @@ spec:
                   type: object
                   properties:
                     protocol:
-                      description: Protocol determines if the server listens on http1 / http2 / grpc. The default is http1.
+                      description: Protocol determines if the server listens on http1 / http2 / grpc / websocket. The default is http1.
                       type: string
                       enum:
                         - http1
                         - http2
                         - grpc
+                        - websocket
                     timeout:
                       description: Timeout determines how long (in seconds) should NGINX App Protect DoS wait for a response. Default is 10 seconds for http1/http2 and 5 seconds for grpc.
                       type: integer
diff --git a/deployments/helm-chart/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/deployments/helm-chart/crds/appprotectdos.f5.com_dosprotectedresources.yaml
index 66214fc838..cda76ccd25 100644
--- a/deployments/helm-chart/crds/appprotectdos.f5.com_dosprotectedresources.yaml
+++ b/deployments/helm-chart/crds/appprotectdos.f5.com_dosprotectedresources.yaml
@@ -39,12 +39,13 @@ spec:
                   type: object
                   properties:
                     protocol:
-                      description: Protocol determines if the server listens on http1 / http2 / grpc. The default is http1.
+                      description: Protocol determines if the server listens on http1 / http2 / grpc / websocket. The default is http1.
                       type: string
                       enum:
                         - http1
                         - http2
                         - grpc
+                        - websocket
                     timeout:
                       description: Timeout determines how long (in seconds) should NGINX App Protect DoS wait for a response. Default is 10 seconds for http1/http2 and 5 seconds for grpc.
                       type: integer
diff --git a/docs/content/app-protect-dos/dos-protected.md b/docs/content/app-protect-dos/dos-protected.md
index 422a6bdc0f..1a2623156d 100644
--- a/docs/content/app-protect-dos/dos-protected.md
+++ b/docs/content/app-protect-dos/dos-protected.md
@@ -35,7 +35,7 @@ spec:
 |``enable`` | Enables NGINX App Protect DoS. | ``bool`` | No |
 |``name`` | Name of the protected object, max of 63 characters. | ``string`` | No |
 |``apDosMonitor.uri`` | The destination to the desired protected object. [App Protect DoS monitor](#dosprotectedresourceapdosmonitor) Default value: None, URL will be extracted from the first request which arrives and taken from "Host" header or from destination ip+port. | ``string`` | No |
-|``apDosMonitor.protocol`` | Determines if the server listens on http1 / http2 / grpc. [App Protect DoS monitor](#dosprotectedresourceapdosmonitor) Default value: http1. | ``enum`` | No |
+|``apDosMonitor.protocol`` | Determines if the server listens on http1 / http2 / grpc / websocket. [App Protect DoS monitor](#dosprotectedresourceapdosmonitor) Default value: http1. | ``enum`` | No |
 |``apDosMonitor.timeout`` | Determines how long (in seconds) should NGINX App Protect DoS wait for a response. [App Protect DoS monitor](#dosprotectedresourceapdosmonitor) Default value: 10 seconds for http1/http2 and 5 seconds for grpc. | ``int64`` | No |
 |``apDosPolicy`` | The [App Protect DoS policy](#dosprotectedresourceapdospolicy) of the dos. Accepts an optional namespace. | ``string`` | No |
 |``dosSecurityLog.enable`` | Enables security log. | ``bool`` | No |
diff --git a/pkg/apis/dos/v1beta1/types.go b/pkg/apis/dos/v1beta1/types.go
index b5c5cb96e2..0a487da491 100644
--- a/pkg/apis/dos/v1beta1/types.go
+++ b/pkg/apis/dos/v1beta1/types.go
@@ -33,8 +33,8 @@ type DosProtectedResourceSpec struct {
 type ApDosMonitor struct {
 	// URI is the destination to the desired protected object in the nginx.conf:
 	URI string `json:"uri"`
-	// +kubebuilder:validation:Enum=http1;http2;grpc
-	// Protocol determines if the server listens on http1 / http2 / grpc. The default is http1.
+	// +kubebuilder:validation:Enum=http1;http2;grpc;websocket
+	// Protocol determines if the server listens on http1 / http2 / grpc / websocket. The default is http1.
 	Protocol string `json:"protocol"`
 	// Timeout determines how long (in seconds) should NGINX App Protect DoS wait for a response. Default is 10 seconds for http1/http2 and 5 seconds for grpc.
 	Timeout uint64 `json:"timeout"`
diff --git a/pkg/apis/dos/validation/dos.go b/pkg/apis/dos/validation/dos.go
index 9b7b1fafd9..2c4efc268b 100644
--- a/pkg/apis/dos/validation/dos.go
+++ b/pkg/apis/dos/validation/dos.go
@@ -152,9 +152,10 @@ func validateAppProtectDosName(name string) error {
 }
 
 var validMonitorProtocol = map[string]bool{
-	"http1": true,
-	"http2": true,
-	"grpc":  true,
+	"http1":     true,
+	"http2":     true,
+	"grpc":      true,
+	"websocket": true,
 }
 
 func validateAppProtectDosMonitor(apDosMonitor v1beta1.ApDosMonitor) error {
diff --git a/pkg/apis/dos/validation/dos_test.go b/pkg/apis/dos/validation/dos_test.go
index fdb92c2661..e1bfc5494a 100644
--- a/pkg/apis/dos/validation/dos_test.go
+++ b/pkg/apis/dos/validation/dos_test.go
@@ -416,6 +416,11 @@ func TestValidateAppProtectDosMonitor(t *testing.T) {
 			Protocol: "grpc",
 			Timeout:  10,
 		},
+		{
+			URI:      "https://example.com/good_path",
+			Protocol: "websocket",
+			Timeout:  10,
+		},
 	}
 	negDstAntns := []struct {
 		apDosMonitor v1beta1.ApDosMonitor