This document explains the security model, HTTPS setup, and how to handle browser warnings.
OmniAntigravity Remote Chat supports HTTPS for secure connections between your phone and desktop.
- Encrypted Traffic: All data between your phone and server is encrypted.
- No Browser Warning Icon: Removes the
β οΈ "Not Secure" warning in the address bar. - Professional Experience: Feels more polished and trustworthy.
The generate_ssl.js script uses a hybrid approach:
| Method | When Used | Benefits |
|---|---|---|
| OpenSSL (preferred) | When OpenSSL is installed | Full IP address SAN support, cleaner browser warnings |
| Node.js crypto (fallback) | When OpenSSL not available | Zero dependencies, works everywhere |
OpenSSL availability by platform:
- Windows: Available if Git for Windows is installed
- macOS: LibreSSL built-in (compatible)
- Linux: Usually pre-installed
| Type | Pros | Cons |
|---|---|---|
| Self-Signed (what we use) | Free, works offline, no domain needed, instant setup | Browser shows warning on first visit |
| CA-Signed (Let's Encrypt, etc.) | No browser warnings | Requires domain name, internet access, periodic renewal |
For local network use, self-signed certificates are the practical choice.
When you first visit the HTTPS URL on your phone, you'll see a warning like:
Your connection is not private
Attackers might be trying to steal your information from 192.168.1.x
NET::ERR_CERT_AUTHORITY_INVALID
Yes, for your local network. This warning appears because:
- The certificate is "self-signed" (created by you, not a Certificate Authority)
- Your browser doesn't recognize the issuer
- This is expected behavior for local development servers
- Tap "Advanced" at the bottom of the warning page
- Tap "Proceed to 192.168.1.x (unsafe)"
- Tap "Show Details"
- Tap "visit this website"
- Tap "Visit Website" in the confirmation popup
- Tap "Advanced"
- Tap "Proceed to 192.168.1.x (unsafe)"
- Click "Advanced"
- Click "Proceed to localhost (unsafe)"
- Click "Advanced..."
- Click "Accept the Risk and Continue"
What you'll see in all browsers:
All browsers will show "Not Secure" but "Encrypted" - this is expected!
| Browser | Icon | Message |
|---|---|---|
| Chrome (Android/Desktop) | π΄ Red octagon with X | "Not secure" - but encrypted |
| Safari (iPhone) | "Not Trusted" - but encrypted | |
| Firefox | π΄ Red octagon with X | "Not secure" - but encrypted |
| Edge | π΄ Red octagon with X | "Not secure" - but encrypted |
Why "Not Secure" but still encrypted?
- β Your data IS encrypted with TLS 1.3 / AES-256
- β The certificate isn't from a trusted Certificate Authority
- This is normal and expected for self-signed certificates
Key points:
- β The initial warning won't appear again (until you clear browser data)
- β All traffic is encrypted with modern TLS 1.3
- β Tap the icon β "Connection is encrypted" confirms security
To secure your session when accessing it remotely, OmniAntigravity Remote Chat includes a built-in authentication layer.
- Local Access (Wi-Fi): The server detects your local IP. Devices on same Wi-Fi are automatically authenticated.
- Global Access (Mobile Data): Requests from the internet (via ngrok) require a Passcode.
- Session Cookies: Once logged in, your browser stores a secure, signed cookie valid for 30 days.
- Copy
.env.exampleto.env. - Set your custom password and API keys in the
.envfile:
APP_PASSWORD=your_secure_password
XXX_API_KEY=your-ai-provider-keyIf no password is set, the default password antigravity is used.
Since v1.3.0, the application enforces strict Content Security Policy:
- HTTP Header + Meta Tags: CSP is enforced via both mechanisms for defense-in-depth.
script-src 'self': Only scripts from the same origin are allowed β zero inline JS.frame-src 'none': No iframe embedding allowed.object-src 'none': No plugin/embed objects.
This prevents mirrored snapshot HTML from executing injected scripts in the mobile browser.
- Transport Layer: All HTTP traffic is encrypted with TLS 1.3 when using HTTPS.
- Passcode Protection: When accessed via the internet (ngrok) or non-local networks, a password/passcode is mandatory to prevent unauthorized access.
- Local Exemption: Intelligent IP detection automatically trusts your local Wi-Fi devices, allowing password-free access at home.
- Secure Sessions: Uses signed,
httpOnlycookies that are inaccessible to cross-site scripting (XSS) attacks. - Input Sanitization: User messages are escaped using
JSON.stringifybefore CDP injection. - Graceful Shutdown: Server cleans up connections properly on exit.
- Self-Signed Certs: Not trusted by browsers without manual accept (see "Bypassing Warnings" above).
- Physical Access: Anyone with physical access to your phone or desktop can control the session.
| Method | Safety | Recommendation |
|---|---|---|
| Local Wi-Fi | π’ High | Default mode, no password required. |
| Cloudflare / Pinggy tunnel | π‘ Medium | Preferred remote method. Set APP_PASSWORD in .env for secure global access. |
| ngrok tunnel | π‘ Medium | Use NGROK_AUTHTOKEN + APP_PASSWORD in .env. |
| Port Forwarding | π΄ Low | NOT RECOMMENDED. Use the built-in tunnel providers instead. |
| Scenario | Recommendation |
|---|---|
| Home network (trusted) | Use as-is, HTTPS recommended |
| Shared network (office) | Enable HTTPS, consider adding auth |
| Remote access | Use VPN or SSH tunnel, never expose directly to internet |
npm run setup:ssl
# Or manually:
node scripts/generate_ssl.jsWhat it does:
- Detects your local IP addresses (e.g., 192.168.1.3)
- Tries OpenSSL first (if available) - includes IP in certificate SAN
- Falls back to Node.js crypto if OpenSSL not found
- Creates
certs/server.keyandcerts/server.cert
Example output:
π Generating self-signed SSL certificate...
π Detected IP addresses: 192.168.1.3, 127.0.0.1
π§ Using OpenSSL for certificate generation...
β
SSL certificates generated successfully!
Method: OpenSSL
Key: ./certs/server.key
Cert: ./certs/server.cert
SANs: localhost, 192.168.1.3, 127.0.0.1
If you're already running the server on HTTP:
- Look for the yellow "
β οΈ Not Secure" banner - Click "Enable HTTPS" button
- Restart the server when prompted
If you need a new certificate (e.g., IP changed, expired, or compromised):
# Delete old certificates
rm -rf certs/ # Linux/macOS
rmdir /s certs # Windows
# Generate new ones
npm run setup:ssl
# Restart server
npm startNote: After regenerating, you'll need to accept the browser warning again on all devices.
Certificates are stored in ./certs/ and are gitignored - they will NOT be committed to version control.
To check which certificate you're using and its details:
Windows (with Git):
& "C:\Program Files\Git\usr\bin\openssl.exe" x509 -in certs/server.cert -text -noout | Select-String -Pattern "Subject:|Issuer:|Not Before|Not After|DNS:|IP Address:"macOS/Linux:
openssl x509 -in certs/server.cert -text -noout | grep -E "Subject:|Issuer:|Not Before|Not After|DNS:|IP Address:"Example output:
Issuer: C=US, O=AntigravityPhoneConnect, CN=localhost
Not Before: Jan 17 06:55:13 2026 GMT
Not After : Jan 17 06:55:13 2027 GMT
Subject: C=US, O=AntigravityPhoneConnect, CN=localhost
DNS:localhost, IP Address:192.168.1.3, IP Address:127.0.0.1
Quick check (any platform):
node -e "const fs=require('fs'); console.log(fs.existsSync('certs/server.cert') ? 'β
Certificate exists' : 'β No certificate')"By default, the server binds to 0.0.0.0:4747, meaning:
- β Accessible from any device on your LAN
- β
Accessible via
localhoston the host machine - β NOT accessible from the internet (unless you port-forward)
If you can't connect from your phone:
- Check Windows Firewall / macOS Firewall settings
- Ensure port 4747 is allowed for Node.js
- Verify both devices are on the same Wi-Fi network
For the best certificate experience (proper IP SAN support), install OpenSSL:
- Easiest: Install Git for Windows - includes OpenSSL
- Standalone: Download from slproweb.com
# Already included as LibreSSL, or install via Homebrew:
brew install openssl# Usually pre-installed, or:
sudo apt install openssl # Debian/Ubuntu
sudo yum install openssl # RHEL/CentOS- README.md β Quick start and HTTPS setup instructions
- docs/CODE_DOCUMENTATION.md β Full technical architecture
- DESIGN_PHILOSOPHY.md β 10 core design principles
- CONTRIBUTING.md β Contributor guidelines and security checklist