Mixed content error when accessing openapi.json via docs

[cosigyn]

This is not an issue in development as localhost allows mixed content, however when I deployed to production (on https), when I access the docs, I get these errors in production:

Blocked loading mixed active content “http://example.com/openapi.json”
[docs:25:13](https://example.com/api/docs)

Uncaught (in promise) TypeError: NetworkError when attempting to fetch resource.
    onload https://example.com/api/docs:25
    EventHandlerNonNull* https://example.com/api/docs:24
[docs:25:14](https://example.com/api/docs)

The issue appears to be because the docs page requests http://example.com/openapi.json rather than https

This can be resolved in nginx by adding this to the server block of the configuration: add_header 'Content-Security-Policy' 'upgrade-insecure-requests';

This is not an ideal solution however. The code should be updated to //example.com/openapi.json so that it is always the correct scheme

[blomqma]

Currently the protocol is parsed from the incoming request's x-forwarded-proto header. If that header is not available, then the default protocol is http, that will be used for fetching the openapi.json in the docs. So in your case your Nginx config probably does not contain a configuration like this, which would also address the issue:

location / {
    proxy_set_header X-Forwarded-Proto $scheme;
    ...
}

However, I see no problem in using content-relative URLs or parsing the protocol in the browser for fetching the openapi.json in the docs, so I've gone ahead and fixed that in v3.4.4. Upgrading to that version should address your issue.