Fix: Add trust proxy for reverse proxy and fix asset paths for HTTPS

backend/src/app.js

@@ -12,6 +12,10 @@ const { apiLimiter } = require('./middlewares/rateLimiter');
 const app = express();
 const PORT = process.env.PORT || 3000;
 
+// Trust proxy (for Nginx Proxy Manager / reverse proxy)
+// This allows Express to correctly handle X-Forwarded-* headers
+app.set('trust proxy', true);
+
 // Security middleware with relaxed CSP for SPA
 app.use(
   helmet({
@@ -32,7 +36,7 @@ app.use(
         connectSrc: ["'self'", "https:", "http:", "ws:", "wss:"], // Allow API calls
         frameSrc: ["'none'"],
         objectSrc: ["'none'"],
-        upgradeInsecureRequests: [], // Upgrade HTTP to HTTPS if needed
+        // upgradeInsecureRequests removed - causes issues with reverse proxy
       },
     },
     crossOriginEmbedderPolicy: false, // Disable for better compatibility

frontend/vite.config.js

@@ -4,4 +4,18 @@ import react from '@vitejs/plugin-react'
 // https://vite.dev/config/
 export default defineConfig({
   plugins: [react()],
+  // Use relative paths for assets (works with both HTTP and HTTPS)
+  base: '/',
+  build: {
+    // Ensure assets use relative paths
+    assetsDir: 'assets',
+    rollupOptions: {
+      output: {
+        // Use relative paths for asset imports
+        assetFileNames: 'assets/[name]-[hash][extname]',
+        chunkFileNames: 'assets/[name]-[hash].js',
+        entryFileNames: 'assets/[name]-[hash].js',
+      },
+    },
+  },
 })