chris/balloon-shop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow COOKIE_SECURE=false to disable Secure flag behind HTTP proxy

Browse Source 
NODE_ENV=production sets Secure:true but the container may sit behind
an HTTP-only reverse proxy, causing browsers to reject the cookie.
COOKIE_SECURE=false in .env overrides the flag without changing NODE_ENV.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
chris 2026-04-13 18:51:45 -04:00
parent c8fc15be86
commit e34dfc397c
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/app/api/admin/login/route.ts
View File

@ -51,9 +51,12 @@ export async function POST(request: Request) {
const token = deriveSessionToken(process.env.ADMIN_PASSWORD)
const response = NextResponse.json({ ok: true })
// Secure flag: on by default in production, but can be disabled via
// COOKIE_SECURE=false in .env when running behind an HTTP-only proxy.
const secureCookie = process.env.COOKIE_SECURE !== 'false' && process.env.NODE_ENV === 'production'
response.cookies.set('admin_token', token, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
secure: secureCookie,
sameSite: 'strict',
maxAge: 60 * 60 * 24 * 7, // 7 days
path: '/',