diff --git a/web/src/busService.ts b/web/src/busService.ts
index 00d8b67..eb87d47 100644
--- a/web/src/busService.ts
+++ b/web/src/busService.ts
@@ -24,11 +24,26 @@ import {
 import type { WalletIdentity } from "./wallet/derive";
 import type { MeInfo, Message, Room, User } from "./types";
 
-// Bus endpoints. A browser cannot open a raw TCP NATS socket, so the data plane is
-// reached over WebSocket; the control plane is the signed HTTPS API. Both default to
-// a cluster node and can be overridden at build time (VITE_BUS_HTTP / VITE_BUS_WS).
-const BUS_HTTP = import.meta.env.VITE_BUS_HTTP ?? "https://51.91.100.142:8470";
-const BUS_WS = import.meta.env.VITE_BUS_WS ?? "wss://51.91.100.142:8480";
+// Bus endpoints. The SPA is served same-origin behind a reverse proxy (Caddy):
+// both planes are reached through this page's OWN origin, so there is no CORS and
+// the cluster node IPs stay hidden behind the proxy. The control plane is the
+// signed HTTPS API under the relative path /api; the data plane is NATS over
+// WebSocket under /nats (a browser cannot open a raw TCP NATS socket). Both can
+// still be overridden at build time (VITE_BUS_HTTP / VITE_BUS_WS) for a dev setup
+// that points straight at a cluster node.
+const BUS_HTTP = import.meta.env.VITE_BUS_HTTP ?? "/api";
+const BUS_WS = import.meta.env.VITE_BUS_WS ?? defaultBusWS();
+
+// defaultBusWS derives the data-plane WebSocket URL from the page origin: the same
+// host and port as the SPA, the wss/ws scheme mirroring https/http, path /nats. A
+// browser WebSocket needs an absolute ws(s) URL, so this is computed from location
+// rather than left relative. Returns "" where window is absent (SSR/tests), where
+// the build-time override is expected instead.
+function defaultBusWS(): string {
+  if (typeof window === "undefined") return "";
+  const proto = window.location.protocol === "https:" ? "wss:" : "ws:";
+  return `${proto}//${window.location.host}/nats`;
+}
 
 export class SessionError extends Error {}