To make my story short, here is shown error message(in chromium console):

Mixed Content: The page at 'https://example.com/#/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://example.com/login'. This request has been blocked; the content must be served over HTTPS.

And you see this message if you click the security icon(in chromium address bar):

To investigate this further I notice, on page load event, we do have a request to /api/account secure end-point and since first-time visitors are not usually authenticated, then this request will get redirected to /login path (in somewhere?). but over HTTP and not HTTPS, which will be desire behaviour in my case.

I'm suspicious that this is because I do use my JHipster application behind a reverse proxy and my reverse proxy is responsible for serving requests over HTTPS. In another words my JHipster application doesn't know that we are using HTTPS.

I also did try to debug my client-side code to see if I could override this behaviour but I notice this redirect is not triggered from neither auth-expired.interceptor.ts or errorhandler.interceptor.ts.

So more likely this redirect is happening form my server-side code and maybe could be override by changing an spring security config?

Thank you JHipsters! :-)

Set server.use-forward-headers: true in your application.yml. Make sure your proxy server is also configured to add X-Forwarded-For and X-Forwarded-Proto headers. For Nginx, you can add proxy_set_header X-Forwarded-Proto $scheme; in the location section. This will fix your 302 redirects which are built from the proxy headers.

This is described in the Spring Boot docs for running behind a proxy server, also there was a related Github issue.