fix: enforce Secure flag on session and CSRF cookies by default
Cookies were sent without Secure flag outside of production (NODE_ENV check). New logic: secure=true by default; set SESSION_SECURE=false in .env to allow HTTP explicitly (local dev without reverse proxy). Affects session cookie, CSRF cookie in login handler, and CSRF middleware. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Ulas
@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
### Security
|
||||
- Session and CSRF cookies now have `secure: true` by default; HTTP is only allowed when `SESSION_SECURE=false` is explicitly set in `.env` — previously cookies were sent without `Secure` flag in non-production environments
|
||||
|
||||
## [0.5.2] - 2026-04-01
|
||||
|
||||
### Security
|
||||
|
||||
Reference in New Issue
Block a user