I'm running my parse app on a naked domain. Parse is not making my life easy though.

At first I struggled to set it up because most DNS hosting services don't allow CNAMEs on the the root domain and Parse requires a CNAME.

Decided to try it out with CloudFlare's CNAME flattening and it ended up working by setting up the CNAME under [hostname key].example.com. Parse wouldn't allow me to set it up without the hostname key because example.com was not a real CNAME (it's being translated to an A record under the wood by CloudFlare).

But I want to run my website under HTTPS so I registered a certificate that is valid for both "https:// example.com" and "https:// www.example.com".

Again Parse doesn't make it easy. First it didn't accept my certificate because the hostname wouldn't match. I thought that maybe it was trying to compare it with the subdomain of the cert (www.example.com) and that wouldn't match with my app domain (example.com).

I created another CNAME at [hostname key].www.example.com poiting to my parseapp.com url (didn't want to change www.domain.com because it's already poiting to another service that redirects to domain.com), changed my app hostname to www.example.com and it finally accepted my certificate! Yeahhh!

Changed the app hostname back to example.com and tried to access it in the browser, but it takes forever to load and ends failing. If I change my app to run on "https:// www.example.com" (secure site with with the www subdomain) then it works fine.

So I'm able to run my app in http://example.com (not secure, without www) or "https:// www.example.com" (secure with www).

Why is it that Parse makes it so difficult to run an app on the root domain?

Is there something that I need to do to be able to run a secure app in the root domain?

Most of web services nowadays are designed around the idea of CNAMEs: they provide you a CNAME and you should alias your hostname to that name.

However, as you noted, the CNAME has certain limitations imposed by the DNS protocol RFC and it can't be used to map an apex domain.

Some DNS companies, such as DNSimple or DNS Made Easy, provides a CNAME-like record type that can be used to map the root domain to an hostname provided by a cloud service. Using these services will also make it easier to configure an SSL certificate.

Speaking of SSL certificates, beware that when you purchase a single-name certificate for example.com or www.example.com, it is only valid for that specific hostname. Most certificate authorities will also include the corresponding apex domain if you purchase www.example.com, but you need to check with your SSL certificate provider.

Last but not least, the ability to redirect HTTP to HTTPS traffic really depends on your service provider, in this case parse.com. Unfortunately, it's not uncommon for these services to not force HTTPS. Heroku is currently doing the same, they don't force HTTP to HTTPS when you enable HTTPS.

You should check with them if there is a way to apply such redirect, as the only way is to apply it either at server level or app level. You can't apply the redirect, for example, at DNS level.