From 62e3dc03959be0623e73312ced64a3c7616a2f18 Mon Sep 17 00:00:00 2001
From: adlee-was-taken <aaron.daniel.lee@gmail.com>
Date: Sat, 21 Feb 2026 20:30:29 -0500
Subject: [PATCH] Allow ws:// in production CSP for pre-SSL WebSocket
 connections

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 server/middleware/security.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/server/middleware/security.py b/server/middleware/security.py
index d1cb505..65f0054 100644
--- a/server/middleware/security.py
+++ b/server/middleware/security.py
@@ -110,8 +110,10 @@ class SecurityHeadersMiddleware(BaseHTTPMiddleware):
 
         # Add WebSocket URLs
         if self.environment == "production":
+            connect_sources.append(f"ws://{host}")
             connect_sources.append(f"wss://{host}")
             for allowed_host in self.allowed_hosts:
+                connect_sources.append(f"ws://{allowed_host}")
                 connect_sources.append(f"wss://{allowed_host}")
         else:
             # Development - allow ws:// and wss://