Skip to content

[VULN-20] Missing Secure Cookie Flag #35

Description

@lyncmi07

Severity: Medium
Affected locations: routes/auth.ts:43,68,77

Issue:
Session cookie lacks Secure, so it may be sent over plaintext HTTP in insecure deployments.

Mitigation plan:

  1. Add Secure to all session cookies.
  2. Ensure production is HTTPS-only.
  3. Document local-dev behavior (optional dev override).

Verification / tests:

  • Tests assert Set-Cookie includes HttpOnly; SameSite=Strict; Secure in production mode.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions