[{"data":1,"prerenderedAt":410},["ShallowReactive",2],{"blog-prompts/configure-https":3},{"id":4,"title":5,"body":6,"category":389,"date":390,"dateModified":391,"description":392,"draft":393,"extension":394,"faq":395,"featured":393,"headerVariant":396,"image":395,"keywords":395,"meta":397,"navigation":398,"ogDescription":399,"ogTitle":395,"path":400,"readTime":395,"schemaOrg":401,"schemaType":402,"seo":403,"sitemap":404,"stem":405,"tags":406,"twitterCard":408,"__hash__":409},"blog/blog/prompts/configure-https.md","Configure HTTPS Properly with AI Prompts",{"type":7,"value":8,"toc":380},"minimark",[9,16,21,29,302,311,327,331,334,354,368],[10,11,12],"tldr",{},[13,14,15],"p",{},"HTTPS encrypts traffic between users and your server, preventing eavesdropping and tampering. Modern platforms handle certificates automatically (Let's Encrypt). Your job: ensure HTTP redirects to HTTPS, fix mixed content, and add HSTS. These prompts help you get it right.",[17,18,20],"h2",{"id":19},"https-configuration-audit","HTTPS Configuration Audit",[13,22,23,24,28],{},"Paste this prompt to have your AI audit your entire HTTPS setup for common issues. You'll get a checklist covering certificate validity, HTTP-to-HTTPS redirects, mixed content, HSTS headers, and hardcoded ",[25,26,27],"code",{},"http://"," URLs in your codebase.",[30,31,33,36,39,64,67,85,88,99,103,106,148,158,162,168],"prompt-box",{"title":32},"Audit HTTPS Setup",[13,34,35],{},"Audit my HTTPS configuration for issues.",[13,37,38],{},"Check for:",[40,41,42,46,49,52,55,58,61],"ol",{},[43,44,45],"li",{},"Valid SSL certificate (not expired, correct domain)",[43,47,48],{},"HTTP to HTTPS redirect in place",[43,50,51],{},"No mixed content (HTTP resources on HTTPS pages)",[43,53,54],{},"HSTS header configured",[43,56,57],{},"Secure cookies have Secure flag",[43,59,60],{},"API endpoints use HTTPS",[43,62,63],{},"WebSocket uses WSS (not WS)",[13,65,66],{},"Common issues to find:",[68,69,70,73,76,79,82],"ul",{},[43,71,72],{},"Hardcoded http:// URLs in code",[43,74,75],{},"Images or scripts loaded over HTTP",[43,77,78],{},"API_URL using HTTP",[43,80,81],{},"Missing redirect from www to non-www (or vice versa)",[43,83,84],{},"Cookies without Secure flag",[13,86,87],{},"Search codebase for:",[68,89,90,93,96],{},[43,91,92],{},"http:// (should be https:// or protocol-relative)",[43,94,95],{},"Hardcoded localhost URLs in production code",[43,97,98],{},"Environment variables that might have HTTP URLs\n::",[17,100,102],{"id":101},"http-to-https-redirect","HTTP to HTTPS Redirect",[13,104,105],{},"Copy this prompt to generate HTTP-to-HTTPS redirect configuration for your platform. Your AI will provide ready-to-use snippets for Express, Nginx, Next.js/Vercel, and Apache with proper 301 permanent redirects.",[30,107,109,112,119,130,133,140],{"title":108},"Force HTTPS Redirect",[13,110,111],{},"Set up HTTP to HTTPS redirect for my application.",[13,113,114,115,118],{},"For Express:\napp.use((req, res, next) => {\nif (req.header('x-forwarded-proto') !== 'https' && process.env.NODE_ENV === 'production') {\nres.redirect(301, ",[25,116,117],{},"https://${req.header('host')}${req.url}",");\n} else {\nnext();\n}\n});",[13,120,121,122,129],{},"For Nginx:\nserver {\nlisten 80;\nserver_name example.com ",[123,124,128],"a",{"href":125,"rel":126},"http://www.example.com",[127],"nofollow","www.example.com",";\nreturn 301 https://$server_name$request_uri;\n}",[13,131,132],{},"For Next.js on Vercel:\n// Handled automatically by Vercel",[13,134,135,136],{},"For .htaccess (Apache):\nRewriteEngine On\nRewriteCond %{HTTPS} off\nRewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} ",[137,138,139],"span",{},"L,R=301",[13,141,142,143,147],{},"Important: Use 301 (permanent) redirect for SEO benefits.\nTest: curl -I ",[123,144,145],{"href":145,"rel":146},"http://yoursite.com",[127]," should show 301 to https://",[149,150,151],"warning-box",{},[13,152,153,157],{},[154,155,156],"strong",{},"HSTS locks you into HTTPS:"," Once you set HSTS, browsers will refuse HTTP connections for the max-age duration. Only enable after confirming HTTPS works perfectly. Start with a short max-age (3600) before going to 31536000.",[17,159,161],{"id":160},"fix-mixed-content","Fix Mixed Content",[13,163,164,165,167],{},"Use this prompt to find and fix mixed content issues where HTTP resources load on HTTPS pages. Your AI will search your codebase for ",[25,166,27],{}," URLs, identify common sources like third-party widgets and legacy image URLs, and provide fix patterns for each.",[30,169,171,174,177,180,191,194,200,206,212,215,223,226,240,244,247],{"title":170},"Find and Fix Mixed Content",[13,172,173],{},"Find and fix mixed content issues in my application.",[13,175,176],{},"Mixed content = HTTP resources loaded on HTTPS pages.\nBrowsers block these or show warnings.",[13,178,179],{},"Find issues:",[40,181,182,185,188],{},[43,183,184],{},"Check browser console for \"Mixed Content\" warnings",[43,186,187],{},"Search code for http:// URLs",[43,189,190],{},"Check external resources (images, scripts, fonts)",[13,192,193],{},"Fix approaches:",[13,195,196,197],{},"// Use protocol-relative URLs (auto-match current protocol)\n// ",[25,198,199],{},"\u003Cscript src=\"//cdn.example.com/script.js\">",[13,201,202,203],{},"// Better: Always use HTTPS\n// ",[25,204,205],{},"\u003Cscript src=\"https://cdn.example.com/script.js\">",[13,207,208,209],{},"// Best: Use relative paths when possible\n// ",[25,210,211],{},"\u003Cscript src=\"/scripts/app.js\">",[13,213,214],{},"// For dynamic URLs in JavaScript\nconst apiUrl = new URL('/api', window.location.origin);",[13,216,217,218,222],{},"// For environment variables\nAPI_URL=",[123,219,220],{"href":220,"rel":221},"https://api.example.com",[127]," // Not http://",[13,224,225],{},"Common sources:",[68,227,228,231,234,237],{},[43,229,230],{},"Third-party widgets/embeds",[43,232,233],{},"User-submitted content with http:// URLs",[43,235,236],{},"Legacy image URLs in database",[43,238,239],{},"Hardcoded URLs in CSS (background images)\n::",[17,241,243],{"id":242},"enable-hsts","Enable HSTS",[13,245,246],{},"This prompt asks your AI to configure HSTS (HTTP Strict Transport Security) with a safe rollout plan. You'll get framework-specific implementation for Express and Nginx, plus a graduated max-age strategy from 1 hour to 1 year.",[30,248,250,253,256,259,262,273,276,293,296,299],{"title":249},"Configure HSTS Header",[13,251,252],{},"Configure HSTS (HTTP Strict Transport Security) for my site.",[13,254,255],{},"HSTS tells browsers: \"Always use HTTPS for this site.\"",[13,257,258],{},"Recommended header:\nStrict-Transport-Security: max-age=31536000; includeSubDomains",[13,260,261],{},"Options:",[68,263,264,267,270],{},[43,265,266],{},"max-age: Seconds to remember HTTPS-only (31536000 = 1 year)",[43,268,269],{},"includeSubDomains: Apply to all subdomains",[43,271,272],{},"preload: Opt into browser preload list (permanent!)",[13,274,275],{},"Implementation order:",[40,277,278,281,284,287,290],{},[43,279,280],{},"Start with short max-age: max-age=3600 (1 hour)",[43,282,283],{},"Test everything works over HTTPS",[43,285,286],{},"Increase: max-age=86400 (1 day)",[43,288,289],{},"Test again",[43,291,292],{},"Go to full year: max-age=31536000",[13,294,295],{},"For Express (with Helmet):\napp.use(helmet.hsts({\nmaxAge: 31536000,\nincludeSubDomains: true\n}));",[13,297,298],{},"For Nginx:\nadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;",[13,300,301],{},"Warning: HSTS preload is permanent. Only add when 100% committed to HTTPS.",[303,304,305],"tip-box",{},[13,306,307,310],{},[154,308,309],{},"Pro tip:"," Test your SSL configuration at ssllabs.com/ssltest. It checks certificate validity, protocol support, cipher strength, and gives you a letter grade with specific recommendations.",[312,313,314,321],"faq-section",{},[315,316,318],"faq-item",{"question":317},"Do I need to buy an SSL certificate?",[13,319,320],{},"No. Let's Encrypt provides free certificates, and most hosting platforms (Vercel, Netlify, Cloudflare) include automatic HTTPS. Paid certificates are only needed for specific compliance requirements or extended validation.",[315,322,324],{"question":323},"My certificate is expiring. What do I do?",[13,325,326],{},"If using Let's Encrypt with auto-renewal (certbot), it should renew automatically. Check your cron jobs. Most hosting platforms handle this automatically. If manual, run your renewal command and reload the web server.",[17,328,330],{"id":329},"further-reading","Further Reading",[13,332,333],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[68,335,336,342,348],{},[43,337,338],{},[123,339,341],{"href":340},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[43,343,344],{},[123,345,347],{"href":346},"/blog/how-to/hide-api-keys","How to hide API keys step-by-step",[43,349,350],{},[123,351,353],{"href":352},"/blog/best-practices/secrets","Secret management best practices",[355,356,357,363],"related-articles",{},[358,359],"related-card",{"description":360,"href":361,"title":362},"Complete header setup","/blog/prompts/add-security-headers","Add Security Headers",[358,364],{"description":365,"href":366,"title":367},"Cookie Secure flag","/blog/prompts/secure-cookies","Secure Cookies",[369,370,373,377],"cta-box",{"href":371,"label":372},"/","Start Free Scan",[17,374,376],{"id":375},"check-your-https-setup","Check Your HTTPS Setup",[13,378,379],{},"Scan your site for HTTPS configuration issues and mixed content.",{"title":381,"searchDepth":382,"depth":382,"links":383},"",2,[384,385,386,387,388],{"id":19,"depth":382,"text":20},{"id":101,"depth":382,"text":102},{"id":160,"depth":382,"text":161},{"id":329,"depth":382,"text":330},{"id":375,"depth":382,"text":376},"prompts","2026-02-17","2026-03-06","AI prompts to configure HTTPS correctly. Set up SSL/TLS certificates, enforce HTTPS, and fix mixed content issues for secure connections.",false,"md",null,"cyan",{},true,"AI prompts to set up and enforce HTTPS on your web application.","/blog/prompts/configure-https","[object Object]","BlogPosting",{"title":5,"description":392},{"loc":400},"blog/prompts/configure-https",[407],"Deployment","summary_large_image","tmCjW6PI5IkSsqGz-FlH1177mYwjJEyAuIby43TGihc",1775843938587]