Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/JuanSebasSV/healtyhelp/llms.txt

Use this file to discover all available pages before exploring further.

This guide walks you through taking HealtyHelp from a local development clone to a fully running production deployment. The stack is a Vite + React frontend (static files) and an Express + MongoDB backend (Node.js server), which can be hosted independently on any compatible platform.
Never commit .env files to version control. Add server/.env and client/.env to your .gitignore before your first push. Exposed secrets — particularly JWT_SECRET and CLOUDINARY_API_SECRET — can compromise every user account and all uploaded assets.

Prerequisites

Before deploying, make sure you have accounts and credentials for each external service HealtyHelp depends on:
ServicePurposeFree tier?
MongoDB AtlasManaged database✅ M0 cluster
CloudinaryAvatar and image storage✅ Free tier
GroqLLaMA AI chatbot API✅ Free tier
Google Cloud ConsoleOAuth 2.0 for Google login✅ Free
ResendTransactional email (verification, password reset)✅ Free tier
You will need all credentials from these services ready before setting environment variables.

Deployment steps

1
Build the client
2
Navigate to the client/ directory and run the Vite production build:
3
cd client
npm install
npm run build
4
Vite compiles and bundles the React application into a client/dist/ directory. This is the folder you will upload to your static host.
5
The build script is defined in client/package.json as vite build and produces an optimised, minified output with hashed filenames for cache-busting.
6
Configure SPA routing
7
The file client/public/_redirects is automatically included in the dist/ output. Its content is:
8
/*    /index.html   200
9
This single rule tells Netlify (and compatible static hosts) to serve index.html for every URL, allowing React Router to handle client-side navigation without returning a 404 on page refresh or deep-link.
10
If you use a different host, configure an equivalent rewrite rule:
11
  • Vercel — add a vercel.json with "rewrites": [{ "source": "/(.*)", "destination": "/index.html" }]
  • Apache — add a .htaccess with FallbackResource /index.html
  • Nginx — add try_files $uri /index.html; in your server block
    • 12
    Deploy the client
    13
    Upload the contents of client/dist/ to any static-file host.
    14
    Netlify (recommended)
    15
  • Connect your repository to Netlify (or drag-and-drop the dist/ folder).
  • Set the Base directory to client, Build command to npm run build, and Publish directory to client/dist.
  • Add the environment variable VITE_API_URL=https://api.your-domain.com/api in Site settings → Environment variables.
  • Deploy. The _redirects file is picked up automatically.
    • 16
    Other static hosts (Vercel, Cloudflare Pages, AWS S3 + CloudFront)
    17
    Point the host at client/dist/ and set VITE_API_URL as a build-time environment variable. Add the SPA rewrite rule appropriate for that platform (see step 2).
    18
    Deploy the server
    19
    The server is a standard Node.js application. Any host that can run node server.js will work.
    20
    Recommended platforms
    21
    PlatformNotesRailwayZero-config Node.js, free starter planRenderFree web service, auto-deploys from GitFly.ioContainer-based, generous free allowancesVPS (DigitalOcean, Hetzner, etc.)Full control; use PM2 or systemd
    22
    Steps for any platform:
    23
    cd server
npm install --omit=dev
node server.js
    24
    The npm start script in server/package.json is also node server.js, so platforms that auto-detect Node.js will use it automatically.
    25
    Set NODE_ENV=production as an environment variable on the host — this tightens the auth rate limiter and hides stack traces from API error responses.
    26
    Set environment variables
    27
    Set every variable from the table below in your server host’s environment settings panel (not in a committed .env file).
    28
    Server — required
    29
    VariableExample valueMONGO_URImongodb+srv://user:pass@cluster0.xxxxx.mongodb.net/healtyhelp?retryWrites=true&w=majorityJWT_SECRET<32+ random characters>JWT_EXPIRE7dPORT5000 (or set by host automatically)FRONTEND_URLhttps://your-app.netlify.appBACKEND_URLhttps://api.your-domain.comGROQ_API_KEYgsk_…NODE_ENVproduction
    30
    Google OAuth
    31
    VariableWhere to find itGOOGLE_CLIENT_IDGoogle Cloud Console → APIs & Services → CredentialsGOOGLE_CLIENT_SECRETSame credential entry
    32
    Remember to add https://api.your-domain.com/api/auth/google/callback to the Authorised redirect URIs list in your Google Cloud OAuth client settings. The callback URL is constructed automatically from BACKEND_URL by server/config/passport.js.
    33
    Cloudinary
    34
    VariableWhere to find itCLOUDINARY_CLOUD_NAMECloudinary dashboard homepageCLOUDINARY_API_KEYCloudinary dashboard → Settings → API KeysCLOUDINARY_API_SECRETSame location
    35
    Email (Resend)
    36
    VariableValueRESEND_API_KEYResend dashboard → API KeysEMAIL_FROMHealtyHelp <noreply@your-verified-domain.com>
    37
    Your sending domain must be verified in Resend before emails will be delivered.
    38
    Client — set in your static host’s build environment
    39
    VariableValueVITE_API_URLhttps://api.your-domain.com/api
    40
    Bootstrap the first admin user
    41
    Once the server is running in production and connected to MongoDB, run the initSuperAdmin script once to create the initial super-admin account.
    42
    Set these three extra variables temporarily in your environment (remove them after the script completes):
    43
    SUPER_ADMIN_NAME="Super Admin"
SUPER_ADMIN_EMAIL="admin@your-domain.com"
SUPER_ADMIN_PASSWORD="ChangeMe123!"
    44
    Then execute the script:
    45
    cd server
node scripts/initSuperAdmin.js
    46
    Expected output:
    47
    ✅ Conectado a MongoDB
✅ Superadmin creado exitosamente
📧 Email: admin@your-domain.com
⚠️  IMPORTANTE: Cambia la contraseña inmediatamente después del primer login
    48
    The script is idempotent — if an account with that email already exists it exits without creating a duplicate.
    49
    Change the super-admin password immediately after your first login. Do not leave the SUPER_ADMIN_PASSWORD variable set in your production environment after running the script.

    Security checklist

    Generate a cryptographically random secret of at least 32 characters:
    node -e "console.log(require('crypto').randomBytes(48).toString('hex'))"
    A weak or guessable JWT_SECRET lets an attacker forge authentication tokens and impersonate any user, including admins.
    Setting NODE_ENV=production on your server host has two important security effects:
    1. Tighter auth rate limit/api/auth/login drops from 200 to 20 requests per 15 minutes, significantly raising the cost of brute-force and credential-stuffing attacks.
    2. Hidden error details — the global error handler suppresses err.message from API responses, preventing accidental leakage of internal paths, query details, or stack frames.
    Always confirm this variable is set before opening your API to the public internet.
    server/server.js builds the CORS origin array from process.env.FRONTEND_URL. In production, set this to your exact frontend origin (no trailing slash) and nothing else:
    FRONTEND_URL=https://your-app.netlify.app
    An overly permissive CORS policy allows any website to make credentialed requests to your API on behalf of a logged-in user.
    HealtyHelp already calls app.use(helmet()) near the top of server/server.js. Helmet sets a collection of security-relevant HTTP response headers out of the box, including:
    • Content-Security-Policy
    • X-Frame-Options: DENY
    • X-Content-Type-Options: nosniff
    • Strict-Transport-Security (HSTS)
    No additional configuration is required — just make sure you do not remove or disable the helmet() middleware.
    app.use(hpp()) is applied in server/server.js to protect against HTTP Parameter Pollution attacks, which attempt to override Express query parameters by supplying duplicate keys. This middleware is already active and requires no extra setup.
    Ensure both server/.env and client/.env are listed in your root .gitignore:
    # Environment files — NEVER commit these
.env
.env.*
!.env.example
    Use your hosting platform’s secrets/environment panel to inject variables at runtime instead.

    Build docs developers (and LLMs) love

    Get started for freeTalk to us