Fix insecure WebSocket by using secure protocol (wss)

[Rajesh-Sangepu]

This PR addresses a Semgrep SAST finding where the launchpad GraphQL WebSocket connection was hardcoded to use ws://. This bypassed the existing protocol logic that correctly upgrades connections to wss:// when the application is served over HTTPS.

Details

Affected File: packages/frontend-shared/src/graphql/urqlClient.ts

Issue: Insecure WebSocket (detect-insecure-websocket)

Location: ~Line 239

Fix

The hardcoded ws:// URL has been replaced with the dynamically derived protocol already used elsewhere in the file. This ensures the WebSocket connection uses wss:// for HTTPS deployments while retaining ws:// for HTTP/local development.

• ? ws://${window.location.host}/__launchpad/graphql-ws

• ? ${protocol}//${window.location.host}/__launchpad/graphql-ws

Outcome

Secure WebSocket (wss://) is used automatically over HTTPS

Behavior is consistent across launchpad and non-launchpad targets

Resolves the reported SAST finding with a minimal, targeted change

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
0 out of 2 committers have signed the CLA.

❌ root
❌ Rajesh-Sangepu

---

root seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cypress-app-bot]

• Create a Draft Pull Request if your PR is not ready for review. Mark the PR as Ready for Review when you're ready for a Cypress team member to review the PR.

[alexsch01]

@jennifer-shehane is this even a valid argument?

[MikeMcC399]

@Rajesh-Sangepu

It sounds like your analysis is based on static-code analysis.

Are you familiar with the explanation in https://docs.cypress.io/app/faq#When-I-visit-my-site-directly-the-certificate-is-verified-however-the-browser-launched-through-Cypress-is-showing-it-as-Not-Secure-Why regarding an apparently insecure connection?

Have you traced network traffic that you would expect to be secure and seen that it is not secure?

[MikeMcC399]

This is probably a candidate for closure, as the submitter hasn't replied to comments (or signed the CLA for that matter).