fix: add VITE_INSECURE_PROXY opt-in for cert issues

The backend server doesn't send the full certificate chain (only leaf cert),
causing TLS verification to fail even with system CA installed.

Added VITE_INSECURE_PROXY=true as opt-in workaround for devs with internal endpoints.

Author: Guillaume FORTAINE

README.md

@@ -75,9 +75,9 @@ The Vite proxy automatically:
 - Injects the NSC_TMAS cookie into all proxied requests
 - Supports WebSocket connections for `/api/back/ws`
 
-> **Note:** If you encounter TLS certificate errors with internal endpoints, run with:
+> **Note:** If you encounter TLS certificate errors with internal endpoints, add `VITE_INSECURE_PROXY=true`:
 > ```bash
-> NODE_OPTIONS='--use-system-ca' NSC_TMAS=your_cookie npm run start
+> VITE_INSECURE_PROXY=true NSC_TMAS=your_cookie npm run start
 > ```
 
 ## Start Contributing

vite.config.ts

@@ -53,12 +53,13 @@ export default defineConfig(() => {
   }
   const backend = BACKEND_ENVS[BACKEND_ENV]
 
-  // TLS verification is enabled by default. If you encounter certificate errors with
-  // internal endpoints, run Node with: NODE_OPTIONS='--use-system-ca' npm run start
+  // TLS verification is enabled by default. To disable for internal endpoints with
+  // self-signed certs, set VITE_INSECURE_PROXY=true (not recommended on untrusted networks)
+  const insecureProxy = process.env.VITE_INSECURE_PROXY === 'true'
   const createProxyConfig = (target: string, ws = false): ProxyOptions => ({
     target,
     changeOrigin: true,
-    secure: true,
+    secure: !insecureProxy,
     ws,
     rewrite: (path: string) => path.replace(/^\/api\/(fhir|back|datamodel)/, ''),
     configure: (proxy, _options) => {