Force HTTPS for Parse Server requests

Before running the commands shown on this page, you should load the Bitnami stack environment by executing the installdir/use_APPNAME script (Linux and MacOS) or by clicking the shortcut in the Start Menu under “Start -> Bitnami APPNAME Stack -> Application console” (Windows). On OS X VMs, the installation directory is /opt/bitnami and OS X VM users can click the “Open Terminal” button to run commands. Learn more about the Bitnami stack environment and about OS X VMs.

When you design your own application and make requests to the Parse API you design, your Application ID will be sent in plaintext in API requests. This is dangerous, since anyone with bad intentions could sniff them and break into the application, or even worse, access confidential data from your clients.

To force HTTPS for all API requests, follow these steps:

  • Modify your installdir/apps/parse/conf/httpd-vhosts.conf file so that it fits with this structure.

    <VirtualHost *:80>
        ServerName DOMAIN
        ServerAlias www.DOMAIN
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]
    <VirtualHost *:443>
        ServerName DOMAIN
        ServerAlias www.DOMAIN
        SSLEngine on
        SSLCertificateFile "installdir/apps/parse/conf/certs/server.crt"
        SSLCertificateKeyFile "installdir/apps/parse/conf/certs/server.key"
        Include "installdir/apps/parse/conf/httpd-app.conf"

Please remember to replace the DOMAIN placeholders with the corresponding domain name.

  • Open the Apache vhosts file at installdir/apache2/conf/bitnami/bitnami-apps-vhosts.conf and add the following line:

    Include "installdir/apps/parse/conf/httpd-vhosts.conf"
  • Edit the serverURL variable property from both api and dashboard objects in the script found at installdir/apps/parse/htdocs/server.js:

    serverURL: "https://localhost/parse",

    Please remember to replace the localhost placeholder with the corresponding public IP or domain name.

  • Restart the stack servers:

    $ sudo installdir/ restart

Your application should now force HTTPS for all API requests correctly.

For more information about this process, refer to this section.

Last modification September 6, 2018