SSL, HTTPS & Domain Configuration

Why HTTPS Is Mandatory

SSL/TLS encrypts the connection between the user's browser and your server. Without it, any network observer can read passwords, credit card numbers, and private messages in plain text.

HTTPS is not optional for any production application:

• Protects sensitive user data in transit
• Required for modern browser APIs (Service Workers, Camera, Geolocation)
• Required for HTTP/2 (significantly faster protocol)
• Google ranks HTTPS sites higher in search results
• Chrome displays "Not Secure" warning for all HTTP pages

How SSL Certificates Work

A certificate authority (CA) cryptographically vouches that a certificate belongs to the domain owner. Your browser trusts a list of known CAs. When you connect to a site, the browser verifies the certificate chain.

Let's Encrypt provides free, automatically renewed certificates. PaaS platforms (Vercel, Netlify, Railway) use Let's Encrypt to provision SSL automatically when you add a custom domain — you don't need to do anything manually.

Domain Configuration

Basic DNS Records

; A record — maps domain to IPv4 address
myapp.com.    A    76.223.54.104

; CNAME record — maps domain to another domain name
www.myapp.com.    CNAME    cname.vercel-dns.com.

; For apex domain on Vercel (use A record, not CNAME)
myapp.com.    A    76.223.54.104
myapp.com.    A    76.76.21.21

Subdomain Strategy

Organize subdomains logically:

myapp.com            → Production frontend
www.myapp.com        → Redirects to myapp.com
staging.myapp.com    → Staging environment
api.myapp.com        → API server (if separate from frontend)

Adding a Custom Domain to Vercel

1. In the Vercel dashboard, go to your project → Settings → Domains
2. Add your domain (e.g., myapp.com)
3. Vercel shows you the DNS records to configure
4. In your domain registrar (Namecheap, Cloudflare, etc.), add the records
5. Wait for DNS propagation (minutes to 48 hours)
6. Vercel automatically provisions an SSL certificate

Email DNS Records

To receive email at your domain, you need these DNS records:

; MX records — routes email to your mail server
myapp.com.    MX    10    smtp.google.com.

; SPF — authorizes which servers can send email for your domain
myapp.com.    TXT    "v=spf1 include:_spf.google.com ~all"

; DMARC — policy for handling emails that fail SPF/DKIM
_dmarc.myapp.com.    TXT    "v=DMARC1; p=quarantine; rua=mailto:admin@myapp.com"

Without SPF, DKIM, and DMARC, your emails will land in spam. These are required for transactional emails (account confirmation, password reset).

Common SSL Issues

Mixed content warnings: Your HTTPS page loads HTTP resources (images, scripts). Fix: update all asset URLs to HTTPS.

Certificate expiry: Let's Encrypt certificates expire after 90 days. PaaS platforms auto-renew. Self-hosted? Set up auto-renewal with Certbot.

Redirect loops: HTTP → HTTPS redirect on your server conflicts with the platform's redirect. Solution: configure only one redirect layer.

Key Takeaways

• HTTPS is mandatory — there is no valid reason to run production on HTTP
• PaaS platforms (Vercel, Netlify) provision SSL automatically when you add a domain — no manual certificate management needed
• DNS propagation takes time — changes may not be visible immediately, but usually resolve within minutes for Vercel
• SPF, DKIM, and DMARC records are required for email deliverability — without them, emails land in spam
• Mixed content warnings occur when an HTTPS page loads HTTP resources — audit all asset URLs in production