![\"\"](\"https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/5982\/files\/2022\/11\/HTTP-To-HTTPS.png\")
<\/figure><\/div>\n\n\n\nFor our full stack web application project, my capstone team has chosen an application architecture that consists of hosting the front-end application (user interface) and back-end application (REST API and database) separately on different servers, resulting in two URLs with different domain names. This configuration has the advantages of enforcing the design principal of separation of concerns<\/a> and allowing for greater development and deployment flexibility. We are using AWS Amplify<\/a> to deploy and host the front-end application built with React<\/a>. For the back-end, built using Java and Spring Boot<\/a>, we are using AWS Elastic Beanstalk<\/a> to orchestrate deployment and hosting using various services such as EC2 and Elastic Load Balancing. While Elastic Beanstalk could also be used to provision our PostgreSQL relational database, we have chosen to separate this component instead, and we have manually provisioned the database using Amazon RDS<\/a>. This allows us even greater flexibility, with the ability to deploy back-end changes without any unneeded impact to the database layer.<\/p>\n\n\n\n Although we are using two AWS services for deploying and hosting our front-end and back-end, each application ends up running on different compute instances with different domain names for accessing each on the internet. While there are benefits to this separation, there have been some local development and production environment issues that needed to be addressed. The first is Cross-Origin Resource Sharing<\/strong><\/a> (CORS). CORS is a \u201cmechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.\u201d This specification also applies to cross-origin requests made to our back-end REST API, but such requests are not enabled by default in our application framework, resulting in a blocked request message indicating that an Another issue we ran into was mixed content<\/strong><\/a>. AWS Amplify hosts our front-end application with a domain using HTTPS<\/a>, which uses a secure protocol (TLS<\/a>) to encrypt the web server connection and any requests and responses to\/from the server. Elastic Beanstalk, on the other hand, uses HTTP by default. While attempting to make requests from the front-end pages served over HTTPS to the back-end using unencrypted HTTP, such requests are blocked by the browser. This is a security feature to protect against man-in-the-middle<\/a> attacks and protect other vulnerabilities. While there may be various workarounds for getting past mixed-content blocking, we determined the best strategy to resolve this issue would be to also serve the back-end content over HTTPS instead of HTTP. We would come to find out this is not as straight forward as resolving the CORS issue.<\/p>\n\n\n\n Use a custom domain<\/strong><\/p>\n\n\n\n There are three different ways to use HTTPS with Elastic Beanstalk. Two of these methods involve setting up our own SSL certificate. Fortunately, I just so happened to already have a custom domain configured with a certificate on AWS. This allowed us to use the third option, and the easiest one, which is route traffic from the custom domain to the Application Load Balancer<\/a> (ALB) configured for our back-end application by Elastic Beanstalk. Amazon Route 53<\/a> is a Domain Name Service (DNS) that allows us to do just that.<\/p>\n\n\n\nAccess-Control-Allow-Origin<\/code> header is missing on the requested resource. We actually discovered this restriction while running the front-end app locally during development, which was making requests to the back-end running on AWS. Allowing cross-origin requests involves some back-end application configuration<\/a>, and addressing this issue for local development also resolves it when the application is running in production on AWS, as both environments use cross-origin requests.<\/p>\n\n\n\n
![\"\"](\"https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/5982\/files\/2022\/11\/Screenshot-from-2022-11-07-15-18-46-1024x186.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/5982\/files\/2022\/11\/Screenshot-from-2022-11-07-15-23-49-1024x189.png\")
<\/figure>\n\n\n\n