Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit ac094d4

Browse files
committed
security: Fix insecure WebSocket connections
- Use wss:// in production and non-localhost environments - Only allow ws:// for localhost development - Improve WebSocket security configuration
1 parent 896c4fc commit ac094d4

1 file changed

Lines changed: 5 additions & 1 deletion

File tree

ui/config/api.config.js

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -107,7 +107,11 @@ export function buildApiUrl(endpoint, params = {}) {
107107

108108
// Helper function to build WebSocket URLs
109109
export function buildWsUrl(endpoint, params = {}) {
110-
const protocol = window.location.protocol === 'https:'
110+
// Always use secure WebSocket (wss://) in production or when using HTTPS
111+
// Use ws:// only for localhost development
112+
const isLocalhost = window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1';
113+
const isProduction = window.location.protocol === 'https:' || process.env.NODE_ENV === 'production';
114+
const protocol = (isProduction || !isLocalhost)
111115
? API_CONFIG.WSS_PREFIX
112116
: API_CONFIG.WS_PREFIX;
113117

0 commit comments

Comments
 (0)