Cloudflare HTTPS Configuration for www.shahin-ai.com
Cloudflare provides automatic HTTPS for all domains. Here's how to configure it:
- Go to Cloudflare Dashboard → SSL/TLS
- Set encryption mode to Full (strict)
- This ensures end-to-end encryption between Cloudflare and your origin server
- Enable Always Use HTTPS
- Automatically redirects HTTP to HTTPS
- Enable Automatic HTTPS Rewrites
- Rewrites HTTP URLs to HTTPS in your HTML
- Automatic HTTPS: Enabled by default
- Certificate: Cloudflare automatically provisions SSL certificates
- No configuration needed - HTTPS works out of the box
- If using Cloudflare Workers: HTTPS enabled automatically
- If using VPS/Server:
- Install SSL certificate (Let's Encrypt recommended)
- Configure reverse proxy (Nginx/Apache)
- Set Cloudflare SSL mode to "Full (strict)"
# Install certbot
sudo apt-get update
sudo apt-get install certbot
# Get certificate
sudo certbot certonly --standalone -d api.shahin-ai.com
# Certificate location:
# /etc/letsencrypt/live/api.shahin-ai.com/fullchain.pem
# /etc/letsencrypt/live/api.shahin-ai.com/privkey.pem- Go to Cloudflare Dashboard → SSL/TLS → Origin Server
- Click "Create Certificate"
- Select:
- Private key type: RSA (2048)
- Hostnames:
api.shahin-ai.com,*.shahin-ai.com - Certificate validity: 15 years
- Download certificate and private key
- Install on your server
server {
listen 443 ssl http2;
server_name api.shahin-ai.com;
ssl_certificate /etc/letsencrypt/live/api.shahin-ai.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.shahin-ai.com/privkey.pem;
# SSL Configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Security Headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# Proxy to Node.js backend
location / {
proxy_pass http://localhost:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
}
# Redirect HTTP to HTTPS
server {
listen 80;
server_name api.shahin-ai.com;
return 301 https://$server_name$request_uri;
}Update backend/server.js to trust proxies:
// Trust proxy (for Cloudflare)
app.set('trust proxy', true);
// Force HTTPS in production
if (process.env.NODE_ENV === 'production') {
app.use((req, res, next) => {
if (req.header('x-forwarded-proto') !== 'https') {
res.redirect(`https://${req.header('host')}${req.url}`);
} else {
next();
}
});
}Ensure all API calls use HTTPS:
// In landing-page/services/bookingService.js
const API_BASE_URL = import.meta.env.VITE_API_URL || 'https://api.shahin-ai.com/api'
// In landing-page/services/sandboxService.js
const API_BASE_URL = import.meta.env.VITE_API_URL || 'https://api.shahin-ai.com/api'Update CORS to allow HTTPS origins:
const corsOptions = {
origin: [
'https://www.shahin-ai.com',
'https://shahin-ai.com',
'https://*.shahin-ai.com',
/\.shahin-ai\.com$/
],
credentials: true,
methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With']
};curl -I https://www.shahin-ai.com
# Should return: HTTP/2 200curl -I https://api.shahin-ai.com/health
# Should return: HTTP/2 200openssl s_client -connect www.shahin-ai.com:443 -servername www.shahin-ai.comConfigure in Cloudflare Dashboard → Rules → Transform Rules:
-
Strict-Transport-Security
- Value:
max-age=31536000; includeSubDomains; preload
- Value:
-
X-Content-Type-Options
- Value:
nosniff
- Value:
-
X-Frame-Options
- Value:
DENY
- Value:
-
X-XSS-Protection
- Value:
1; mode=block
- Value:
-
Referrer-Policy
- Value:
strict-origin-when-cross-origin
- Value:
-
Content-Security-Policy
- Value:
default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:;
- Value:
# Create renewal script
sudo nano /etc/cron.monthly/certbot-renew
# Add:
#!/bin/bash
certbot renew --quiet --post-hook "systemctl reload nginx"
# Make executable
sudo chmod +x /etc/cron.monthly/certbot-renew- Ensure all resources (images, scripts, styles) use HTTPS
- Check browser console for mixed content errors
- Use relative URLs or protocol-relative URLs
- Verify certificate is valid and not expired
- Check certificate chain is complete
- Ensure server time is synchronized
- Verify CORS configuration allows HTTPS origins
- Check that credentials are properly configured
- Ensure preflight requests are handled
- Check SSL/TLS mode is set to "Full (strict)"
- Verify origin certificate is installed correctly
- Check that backend server is accessible
- SSL/TLS mode set to "Full (strict)"
- "Always Use HTTPS" enabled
- SSL certificate installed on backend server
- Nginx/Apache configured for HTTPS
- Backend server trusts proxy headers
- CORS configured for HTTPS origins
- Frontend URLs updated to HTTPS
- Security headers configured
- Certificate auto-renewal configured
- HTTPS tested and verified
- URL:
https://api.shahin-ai.com/admin - Authentication: Admin secret (set in
ADMIN_SECRETenvironment variable) - Default Secret:
admin-secret-change-in-production(change in production!)
- System health monitoring
- Statistics dashboard
- File upload/download
- Sandbox session management
- Landing request management
- Contact message management
- SQL query execution (read-only)
- Admin secret required for all endpoints
- Rate limiting on admin endpoints
- Input sanitization
- Read-only SQL queries only
- File upload size limits (50MB)
Status: Ready for HTTPS deployment
Last Updated: 2025-01-XX