diff --git a/demo-client-app/src/App.js b/demo-client-app/src/App.js
index 1872819..d965210 100644
--- a/demo-client-app/src/App.js
+++ b/demo-client-app/src/App.js
@@ -1,6 +1,8 @@
 import { useCallback, useEffect } from "react";
 import Stomp from "webstomp-client";
 import SockJS from "sockjs-client";
+import { proxy } from "../package.json";
+
 import logo from "./logo.svg";
 import "./App.css";
 
@@ -8,10 +10,24 @@ let stomp;
 
 const connect = async (token) => {
   if (stomp != null) return;
-  console.info("Connect to Websocket");
-  const sock = new SockJS("http://localhost:8081/api/ws");
+  let url = "/api/ws";
+  let message = "Connect to Websocket";
+  // webpack-dev-server also uses sockjs-client;
+  // default proxy may incorrectly route requests
+  // resulting in transport switch,
+  // which is slow on https.
+  //
+  // Hence, we cannot rely on default proxy.
+  // Requests should be sent directly to a websocket.
+  if (process.env.NODE_ENV !== "production") {
+    url = `${proxy}${url}`;
+    message += " Directly";
+  }
+  console.info(message);
+  const sock = new SockJS(url);
   stomp = Stomp.over(sock);
 
+  // disable stomp logging
   stomp.debug = (msg) => {}
 
   stomp.connect(
@@ -69,7 +85,7 @@ function App({ keycloak }) {
           className="App-link"
           onClick={(e) => {
             e.preventDefault();
-            fetchFromApi("http://localhost:8081/api/userinfo");
+            fetchFromApi("/api/userinfo");
           }}
         >
           Get user email
@@ -79,7 +95,7 @@ function App({ keycloak }) {
           className="App-link"
           onClick={(e) => {
             e.preventDefault();
-            fetchFromApi("http://localhost:8081/api/users");
+            fetchFromApi("/api/users");
           }}
         >
           Get all users
diff --git a/demo-resource-server/src/main/java/ru/digitalbanana/demoresourceserver/config/WebSecurityConfig.java b/demo-resource-server/src/main/java/ru/digitalbanana/demoresourceserver/config/WebSecurityConfig.java
index 95ef275..e72cb75 100644
--- a/demo-resource-server/src/main/java/ru/digitalbanana/demoresourceserver/config/WebSecurityConfig.java
+++ b/demo-resource-server/src/main/java/ru/digitalbanana/demoresourceserver/config/WebSecurityConfig.java
@@ -10,9 +10,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
-      http.cors()
-          .and()
-          .csrf().disable()
+      http
             .authorizeRequests()
               .antMatchers(HttpMethod.GET, "/userinfo", "/user/**")
                 .authenticated()