awsparse

Force HTTPS for Parse Server requests

When you design your own application and make requests to the Parse API you design, your Application ID will be sent in plaintext in API requests. This is dangerous, since anyone with bad intentions could sniff them and break into the application, or even worse, access confidential data from your clients.

To force HTTPS for all API requests, follow these steps:

  • Modify your /opt/bitnami/apps/parse/conf/httpd-vhosts.conf file so that it fits with this structure.

    <VirtualHost *:80>
        ServerName DOMAIN
        ServerAlias www.DOMAIN
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]
    </VirtualHost>
    
    <VirtualHost *:443>
        ServerName DOMAIN
        ServerAlias www.DOMAIN
        SSLEngine on
        SSLCertificateFile "/opt/bitnami/apps/parse/conf/certs/server.crt"
        SSLCertificateKeyFile "/opt/bitnami/apps/parse/conf/certs/server.key"
        Include "/opt/bitnami/apps/parse/conf/httpd-app.conf"
    </VirtualHost>
    

Please remember to replace the DOMAIN placeholders with the corresponding domain name.

  • Open the Apache vhosts file at /opt/bitnami/apache2/conf/bitnami/bitnami-apps-vhosts.conf and add the following line:

    Include "/opt/bitnami/apps/parse/conf/httpd-vhosts.conf"
    
  • Edit the serverURL variable property from both api and dashboard objects in the script found at /opt/bitnami/apps/parse/htdocs/server.js:

    serverURL: "https://SERVER-IP/parse",
    

    Please remember to replace the SERVER-IP placeholder with the corresponding public IP or domain name.

  • Restart the stack servers:

    $ sudo /opt/bitnami/ctlscript.sh restart
    

Your application should now force HTTPS for all API requests correctly.

For more information about this process, refer to this section.

Last modification September 6, 2018