For HTTP, it is possible to upgrade all requests to HTTPS with a 301 response.
For websocket, however, it doesn't seem to be that easy. If I redirect the ws://127.0.0.1 request to wss:/127.0.0.1, I get an "error: undefined" in the browser using the test on websocket.org (and yes, certificate is trusted and works for wss if used directly). The initial request is made, and the redirect sent out. However, there is no second request on the TLS port.
The specification only covers redirects briefly.
For HTTP, it is possible to upgrade all requests to HTTPS with a 301 response.
(Nitpicking) That's not really an upgrade of a request but instead a redirect which results in a different request.
Is upgrading ws to wss possible?
According to the websocket standard (RFC 6455):
If the status code received from the server is not 101, the client handles the response per HTTP [RFC2616] procedures. In particular, the client might perform authentication if it receives a 401 status code; the server might redirect the client using a 3xx status code (but clients are not required to follow them), etc.
So yes, it might be supported be some clients but not by others. For example in Firefox the relevant property network.websocket.auto-follow-http-redirects defaults to false, i.e. it does not follow redirects by default.
Do I need to send WebSocket specific headers even with the redirect response?
These are only relevant for the upgrading of the request to websocket not for redirects. This means the headers should only be sent in the upgrade response (status code 101).