diff --git a/adminlte2_pdq/constants.py b/adminlte2_pdq/constants.py
index 97f69caaea0cdffe9a87a11313dd9883e544260a..0ce52a2fcaf024074fee6801beaf87e16ca8b5d7 100644
--- a/adminlte2_pdq/constants.py
+++ b/adminlte2_pdq/constants.py
@@ -10,9 +10,12 @@ PWD_RESET_CONFIRM_ROUTE = getattr(settings, 'PWD_RESET_CONFIRM_ROUTE', 'password
 PWD_RESET_COMPLETE_ROUTE = getattr(settings, 'PWD_RESET_COMPLETE_ROUTE', 'password_reset_complete')
 REGISTER_ROUTE = getattr(settings, 'REGISTER_ROUTE', 'adminlte2_pdq:register')
 MEDIA_ROUTE = getattr(settings, 'MEDIA_URL', '/media/')
+WEBSOCKET_ROUTE = getattr(settings, 'WEBSOCKET_URL', '/ws/')
 
 # Known routes that should never have a permission check done.
 HOME_ROUTE = getattr(settings, 'ADMINLTE2_HOME_ROUTE', 'adminlte2_pdq:home')
+PWD_CHANGE = getattr(settings, 'PWD_CHANGE', 'password_change')
+PWD_CHANGE_DONE = getattr(settings, 'PWD_CHANGE_DONE', 'password_change_done')
 
 # List of known routes that should never require being logged in.
 LOGIN_EXEMPT_WHITELIST = [
@@ -27,6 +30,8 @@ LOGIN_EXEMPT_WHITELIST = [
 # List of known routes that should never require permissions to access.
 STRICT_POLICY_WHITELIST = [
     HOME_ROUTE,
+    PWD_CHANGE,
+    PWD_CHANGE_DONE,
 ] + LOGIN_EXEMPT_WHITELIST
 
 # Add any user defined list of exempt urls to the constant.
diff --git a/adminlte2_pdq/middleware.py b/adminlte2_pdq/middleware.py
index 7655aa372dddd1a69fcb8d1aee247a3835575b3b..69eeb7bbb6f563e5461bb4fd1a3b23738fb8b553 100644
--- a/adminlte2_pdq/middleware.py
+++ b/adminlte2_pdq/middleware.py
@@ -17,6 +17,7 @@ from .constants import (
     LOGIN_URL,
     HOME_ROUTE,
     MEDIA_ROUTE,
+    WEBSOCKET_ROUTE,
 )
 
 class AuthMiddleware:
@@ -88,6 +89,7 @@ class AuthMiddleware:
             or path in LOGIN_EXEMPT_WHITELIST
             or self.login_required_hook(request)
             or self.verify_media_route(path)
+            or self.verify_websocket_route(path)
         )
 
 
@@ -131,6 +133,7 @@ class AuthMiddleware:
                 or path in STRICT_POLICY_WHITELIST
                 or app_name == 'admin'
                 or self.verify_media_route(path)
+                or self.verify_websocket_route(path)
                 or self.verify_redirect_route(view_class)
             ):
                 exempt = True
@@ -178,6 +181,13 @@ class AuthMiddleware:
             return_val = path.startswith(MEDIA_ROUTE)
         return return_val
 
+    def verify_websocket_route(self, path):
+        """Verify that the path of the request is not a WEBSOCKET URL"""
+        return_val = False
+        if WEBSOCKET_ROUTE and WEBSOCKET_ROUTE != '/':
+            return_val = path.startswith(WEBSOCKET_ROUTE)
+        return return_val
+
     def verify_redirect_route(self, view_class):
         """Verify that the view class is a RedirectView"""
         return view_class and view_class == RedirectView
diff --git a/tests/test_middleware.py b/tests/test_middleware.py
index cad6a4a5a657b10481fc7b28826b56b04a7c1c70..7554dbfe2a426a1607ce60a735131c2db4333b59 100644
--- a/tests/test_middleware.py
+++ b/tests/test_middleware.py
@@ -340,6 +340,18 @@ class MiddlewareTestCase(TestCase):
         self.assertEqual(response.status_code, 200)
         self.assertContains(response, "<h1>Demo CSS</h1>")
 
+    @patch('adminlte2_pdq.middleware.LOGIN_REQUIRED', True)
+    @patch('adminlte2_pdq.middleware.STRICT_POLICY', True)
+    @patch('adminlte2_pdq.middleware.WEBSOCKET_ROUTE', '/demo-css/')  # Pretend the demo-css route is a websocket file.
+    def test_middleware_allows_when_websocket_url_defined_login_on_strict_on_login_wl_on_strict_wl_on(self):
+        """test_middleware_allows_when_websocket_url_defined_login_on_strict_on_login_wl_on_strict_wl_on"""
+        response = self.client.get(
+            reverse('adminlte2_pdq:demo-css'),
+            follow=True
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, "<h1>Demo CSS</h1>")
+
     # **************************************************************************
     # Logged In User - All Perms - Staff Status - Can see Admin page.
     # **************************************************************************