I'm almost wondering if I really need https for both www and non-www since this is only for my backend API?
If I move this all to a subdomain e.g. api.26reads.com , and I make sure all my frontend calls are to the non-www subdomain, would that work?
My frontend would be on Vercel and I'm not sure how relevant this is but they do seem to offer redirect www to non-www and vice versa: Custom Domains – Vercel Docs