Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Nandini-13/PsycheIT/llms.txt

Use this file to discover all available pages before exploring further.

Deploying PsycheIT to production involves building the React frontend into static assets, running the Express backend as a managed process, and hardening several default settings that are intentionally left simple for local development. Work through the checklist below before exposing the application to real users.

Pre-Deployment Checklist

1

Replace the hardcoded JWT secret

The server currently signs tokens with the literal string 'secretKey'. Generate a cryptographically strong replacement and store it as an environment variable:
node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"
Set the output as JWT_SECRET in your server environment and update server.js to use process.env.JWT_SECRET instead of the hardcoded value.
2

Replace flat-file user storage with a database

User records are written to users.json using synchronous fs calls, which are not safe for concurrent requests and provide no durability guarantees. Before going live, migrate to a proper database — MongoDB, PostgreSQL, and SQLite are all reasonable choices for an application at this scale.
3

Restrict CORS to your production domain

The backend currently mounts cors() with no options, which allows requests from any origin. Lock this down to your frontend domain:
// server.js
app.use(cors({ origin: "https://your-domain.com" }));
4

Update hardcoded backend URLs in the frontend

The chatbot page references the backend via the hardcoded string http://localhost:5000. Before building for production, replace every occurrence of this string in frontend/src/ with your production API base URL (e.g. https://api.your-domain.com).
5

Build the frontend

Produce an optimised, minified bundle:
cd frontend
npm run build
# Output written to: frontend/dist/

Building the Frontend

The Vite build command compiles, tree-shakes, and minifies the React application into a directory of static files: 
cd frontend
npm run build
# Output: frontend/dist/
The resulting dist/ directory contains an index.html entry point and hashed asset files. Because all routing is handled client-side by React Router, you must configure your host to serve index.html for every path (the try_files $uri /index.html pattern in the Nginx example below handles this). The dist/ directory can be deployed to any static hosting service or CDN:
  • Netlify / Vercel — drag-and-drop or Git-connected deployments; both detect Vite automatically.
  • GitHub Pages — push dist/ to a gh-pages branch.
  • Nginx / Apache — copy dist/ to your web root and configure a catch-all rewrite rule.
  • Any object storage CDN (AWS S3 + CloudFront, Cloudflare R2, etc.) — upload dist/ and enable static website hosting.

Running the Backend

The Express server is a plain Node.js process with no built-in clustering or process supervision. For production, wrap it in a process manager so it restarts automatically on crash and survives server reboots. Using PM2 (recommended): 
# Install PM2 globally (once per server)
npm install -g pm2

# Start the API server
cd server
pm2 start server.js --name psycheit-api

# Persist across reboots
pm2 save
pm2 startup
Environment variables with PM2: 
PORT=5000 JWT_SECRET=your-secret pm2 start server.js --name psycheit-api
Or create a server/ecosystem.config.cjs file: 
module.exports = {
  apps: [
    {
      name: "psycheit-api",
      script: "server.js",
      env_production: {
        NODE_ENV: "production",
        PORT: 5000,
        JWT_SECRET: "your-strong-secret-here",
      },
    },
  ],
};
Then start with: 
pm2 start ecosystem.config.cjs --env production
Always set NODE_ENV=production — Express 5 enables several performance and security optimisations in this mode.

Nginx Reverse Proxy

Place Nginx in front of both the static frontend assets and the Express API. This lets you serve everything from a single domain, handle TLS termination in one place, and keep the Node.js port unexposed to the internet. 
server {
    listen 80;
    server_name your-domain.com;

    # Proxy API requests to the Express backend
    location /api/ {
        proxy_pass http://localhost:5000/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    # Serve the built React app
    location / {
        root /var/www/psycheit/dist;
        try_files $uri /index.html;
    }
}
After placing the dist/ contents in /var/www/psycheit/dist, reload Nginx: 
sudo nginx -t && sudo systemctl reload nginx
Use Certbot to add a free TLS certificate and redirect HTTP → HTTPS.

Calendly Integration

The counselor booking feature uses Calendly URLs embedded in frontend/src/bookSession/booking.jsx. Two of the three counselors (nandini-gangadharan and meenal-singh) have real, active Calendly links. The third entry (nidhi-pathak) uses a placeholder URL (https://calendly.com/your-username/nidhi-pathak) that must be replaced with a real Calendly link before the booking feature is complete. No backend configuration is required — the integration is entirely client-side.

Security Hardening

The following three issues exist in the default codebase and must all be resolved before the application handles real student data:
  1. Open CORSapp.use(cors()) with no options allows cross-origin requests from any domain. Restrict this to your production frontend origin.
  2. Hardcoded JWT secret — The string 'secretKey' in server.js is public knowledge. Replace it with a randomly generated 64-byte hex value stored in an environment variable (JWT_SECRET).
  3. Flat-file user storageusers.json is written with synchronous filesystem calls, has no access controls, and cannot safely handle concurrent writes. Replace it with a proper database before accepting real user registrations.
Shipping with any of these defaults in place exposes students — a vulnerable population — to session hijacking, data loss, and unauthorised data access.

Build docs developers (and LLMs) love

Get started for freeTalk to us