Merge pull request #42 from ruvnet/security/fix-critical-vulnerabilities

Security: Fix critical vulnerabilities (includes fr4iser90 PR #38 + fix)
2026-02-28 21:44:00 -05:00
parent dd419daa81 e320bc95f0
commit fd8dec5cab
10 changed files with 226 additions and 66 deletions
--- a/ui/config/api.config.js
+++ b/ui/config/api.config.js
@@ -107,8 +107,12 @@ export function buildApiUrl(endpoint, params = {}) {

 // Helper function to build WebSocket URLs
 export function buildWsUrl(endpoint, params = {}) {
-  const protocol = window.location.protocol === 'https:' 
-    ? API_CONFIG.WSS_PREFIX 
+  // Use secure WebSocket (wss://) when serving over HTTPS or on non-localhost
+  // Use ws:// only for localhost development
+  const isLocalhost = window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1';
+  const isSecure = window.location.protocol === 'https:';
+  const protocol = (isSecure || !isLocalhost)
+    ? API_CONFIG.WSS_PREFIX
    : API_CONFIG.WS_PREFIX;
  
  // Match Rust sensing server port