Https and IPFS - Is SSL needed with IPFS?

I am testing a new demo and I have an error saying IPFS needs https. Someone I know also testing said they did not need http. I am using nginx and I have two servers. I am also trying to add data.

I cannot seem to find a clear answer from the docs.

Is https needed for IPFS?

You do not need to use HTTPS to access your gateway or API, you can use unencrypted HTTP, but the public gateways force HTTPS.

I am getting errors using what I think is the API as follows -
App.js:239 ipfs add error DOMException: Only secure origins are allowed (see:

My code -
var zstr = ‘hello world from Zillerium2’
this.IpfsAPI.add(new Buffer(zstr), function (err, res){

Is this likely to be a config error in my setup or do I need https? I have tried using https but I am getting a lot of nodejs conflicts.

What URL did you provide when creating this.IpfsAPI object?

I am using the IP address - this.IpfsAPI = IpfsAPI(‘’, ‘5001’)

I have two servers - one for IPFS and one for the ReactJS. ReactJS is under and he IPFS has no domain name. I have this running -
root@ubuntu-2gb-nyc2-01:/home/zipfs# ipfs daemon
Initializing daemon…
Adjusting current ulimit to 2048…
Successfully raised file descriptor limit to 2048.
Swarm listening on /ip4/
Swarm listening on /ip4/
Swarm listening on /ip4/
Swarm listening on /ip4/
Swarm listening on /ip6/::1/tcp/4001
API server listening on /ip4/
Gateway (readonly) server listening on /ip4/
Daemon is ready

Looks like you are using Service Worker(?) or something similar somewhere in your code.

I may be missing something, but last time i checked similar setup it only accepted HTTP with localhost IP ( For anything else TLS was required.

So either set up TLS or run IPFS API on the same hostname&port as your app (can be done with reverse proxy such as Nginx).

Keep in mind that exposing API port to the public internet is a huge security risk. Anyone can upload or pin anything to your node. It is generally a better idea to hide API by tying it to localhost and orchestrating it via custom backend code that provides authorization etc.

1 Like

I get a lot of conflicting info about this - I had a lot of npm issues with https and someone from the npm group said that https was not needed for API calls. I am not sure myself. But whatever I try seems to fail. I added a new server to reduce the loan on my current one as I have only small servers at digital ocean.

I get X-Stream error (as posted). I have progressed past some of the errors before but this X-Stream error seems especially elusive.