Vnc with https, not using wss but ws

I am accessing sunstone (one 4.8) via an HTTPS proxy.
when trying to access VNC, it fails because it tries to connect to ws instead of wss:

websock.js:285 Mixed Content: The page at ‘’ was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint ‘ws://localhost:17523/’. This request has been blocked; this endpoint must be available over WSS.

However, in sunstone config I have:

:vnc_proxy_support_wss: only
:vnc_proxy_cert: /x/y.crt
:vnc_proxy_key: /x/y.key

and proxy server is running with:

root 30469 1 0 11:09 pts/3 00:00:00 python /usr/share/one/websockify/ --target-config=/var/lib/one/sunstone_vnc_tokens --cert /x/y.crt --key /x/y.key --ssl-only 29876

Setting VNC_WSS to yes in user preference works.
However, how can I set this as default for all users ?

I don’t know whether there is a config option for that. Maybe change the setting with a hook?
Or you could make your HTTPS proxy deliver an HSTS header. Then the user’s browser will automatically upgrade all ws-connections to wss-connections.