diff --git a/neode-ui/src/views/appSession/appSessionConfig.ts b/neode-ui/src/views/appSession/appSessionConfig.ts
index ba9b8c61..48e93cf4 100644
--- a/neode-ui/src/views/appSession/appSessionConfig.ts
+++ b/neode-ui/src/views/appSession/appSessionConfig.ts
@@ -145,15 +145,16 @@ export function resolveAppUrl(id: string, routeQueryPath?: string): string {
     }
   }
 
-  // Always use nginx proxy paths — direct port access fails over Tailscale/VPN
-  // and when ports aren't exposed externally
-  const proxyPathEntry = HTTPS_PROXY_PATHS[id]
-  if (proxyPathEntry) return `${window.location.origin}${proxyPathEntry}`
+  // HTTPS: use nginx proxy to avoid mixed content
+  if (window.location.protocol === 'https:') {
+    const httpsProxy = HTTPS_PROXY_PATHS[id]
+    if (httpsProxy) return `${window.location.origin}${httpsProxy}`
+  }
 
-  // Fallback: direct port (only for apps without a proxy path)
+  // HTTP: direct port access (iframes break with proxy paths due to root-relative assets)
   const port = APP_PORTS[id]
   if (!port) return ''
-  let base = `${window.location.protocol}//${window.location.hostname}:${port}`
+  let base = `http://${window.location.hostname}:${port}`
   if (routeQueryPath) base += routeQueryPath
   return base
 }