generalparse

Force HTTPS for Parse Server requests

When you design your own application and make requests to the Parse API you design, your Application ID will be sent in plaintext in API requests. This is dangerous, since anyone with bad intentions could sniff them and break into the application, or even worse, access confidential data from your clients.

To force HTTPS for all API requests, follow these steps:

  • Edit and modify the /opt/bitnami/apache/conf/parse-vhost.conf file so that it fits with this structure. Remplace the DOMAIN placeholders with the corresponding domain name.

    <VirtualHost *:80>
        ServerName DOMAIN
        ServerAlias www.DOMAIN
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]
    </VirtualHost>
    
  • Edit and modify the /opt/bitnami/apache/conf/parse-https-vhost* file so that it fits with this structure.

    <VirtualHost *:443>
        ServerName DOMAIN
        ServerAlias www.DOMAIN
        SSLEngine on
        SSLCertificateFile "/opt/bitnami/apache/conf/bitnami/certs/server.crt"
        SSLCertificateKeyFile "/opt/bitnami/apache/conf/bitnami/certs/server.key"
    </VirtualHost>
    
  • Edit the serverURL variable property from both api and dashboard objects in the script found at /opt/bitnami/apps/parse/htdocs/server.js:

    serverURL: "https://SERVER-IP/parse",
    

    Please remember to replace the SERVER-IP placeholder with the corresponding public IP or domain name.

  • Restart the servers in the stack:

      $ sudo /opt/bitnami/ctlscript.sh restart 
    

Your application should now force HTTPS for all API requests correctly.

For more information about this process, refer to this section.

Last modification April 8, 2020