From ac094d4a9762f5e1dee046dfb75d9f9f441d2289 Mon Sep 17 00:00:00 2001
From: fr4iser <pa.boe90@gmail.com>
Date: Sat, 28 Feb 2026 20:40:19 +0100
Subject: [PATCH] security: Fix insecure WebSocket connections

- Use wss:// in production and non-localhost environments
- Only allow ws:// for localhost development
- Improve WebSocket security configuration
---
 ui/config/api.config.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ui/config/api.config.js b/ui/config/api.config.js
index 0577fdf..1b14d10 100644
--- a/ui/config/api.config.js
+++ b/ui/config/api.config.js
@@ -107,7 +107,11 @@ export function buildApiUrl(endpoint, params = {}) {
 
 // Helper function to build WebSocket URLs
 export function buildWsUrl(endpoint, params = {}) {
-  const protocol = window.location.protocol === 'https:' 
+  // Always use secure WebSocket (wss://) in production or when using HTTPS
+  // Use ws:// only for localhost development
+  const isLocalhost = window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1';
+  const isProduction = window.location.protocol === 'https:' || process.env.NODE_ENV === 'production';
+  const protocol = (isProduction || !isLocalhost) 
     ? API_CONFIG.WSS_PREFIX 
     : API_CONFIG.WS_PREFIX;