Severity: Medium
Affected locations: routes/auth.ts:43,68,77
Issue:
Session cookie lacks Secure, so it may be sent over plaintext HTTP in insecure deployments.
Mitigation plan:
- Add
Secure to all session cookies.
- Ensure production is HTTPS-only.
- Document local-dev behavior (optional dev override).
Verification / tests:
- Tests assert
Set-Cookie includes HttpOnly; SameSite=Strict; Secure in production mode.
Severity: Medium
Affected locations:
routes/auth.ts:43,68,77Issue:
Session cookie lacks
Secure, so it may be sent over plaintext HTTP in insecure deployments.Mitigation plan:
Secureto all session cookies.Verification / tests:
Set-CookieincludesHttpOnly; SameSite=Strict; Securein production mode.