Problem
Session cookies are always configured with secure: false, even in production.
Current Behavior
A production deployment may send session cookies over insecure channels if the environment setting is not enforced.
Why This Improvement Is Needed
Secure cookie handling is required for production security and proper session behavior behind proxies.
Proposed Solution
Configure express-session to use secure: true in production, sameSite: lax, and proxy: true when behind a proxy.
Expected Outcome
Session cookies are only sent securely in production and are configured safely for deployment.
Additional Notes
This is a backend security hardening change.
Problem
Session cookies are always configured with
secure: false, even in production.Current Behavior
A production deployment may send session cookies over insecure channels if the environment setting is not enforced.
Why This Improvement Is Needed
Secure cookie handling is required for production security and proper session behavior behind proxies.
Proposed Solution
Configure
express-sessionto usesecure: truein production,sameSite: lax, andproxy: truewhen behind a proxy.Expected Outcome
Session cookies are only sent securely in production and are configured safely for deployment.
Additional Notes
This is a backend security hardening change.