Allow ws:// in production CSP for pre-SSL WebSocket connections

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 20:30:29 -05:00 · 2026-02-21 20:30:29 -05:00 · 62e3dc0395
commit 62e3dc0395
parent bda88d8218
1 changed files with 2 additions and 0 deletions
--- a/server/middleware/security.py
+++ b/server/middleware/security.py
@ -110,8 +110,10 @@ class SecurityHeadersMiddleware(BaseHTTPMiddleware):

        # Add WebSocket URLs
        if self.environment == "production":
+            connect_sources.append(f"ws://{host}")
            connect_sources.append(f"wss://{host}")
            for allowed_host in self.allowed_hosts:
+                connect_sources.append(f"ws://{allowed_host}")
                connect_sources.append(f"wss://{allowed_host}")
        else:
            # Development - allow ws:// and wss://