Add "Secure" flag to all cookies

[tom2drum]

Description and Related Issue(s)

Resolves #3296

Adds the Secure cookie attribute for all app cookies when the app is served over HTTPS, so cookies are only sent over secure connections and are not exposed on HTTP.

Proposed Changes

• lib/cookies.ts: Introduced getDefaultAttributes() returning { path: '/', secure: config.app.protocol === 'https' }. All set() and remove() calls now use these defaults (with optional overrides).
• configs/app/app.ts: Default protocol to 'https' when NEXT_PUBLIC_APP_PROTOCOL is unset, so the Secure flag is used by default in production.
• Middlewares and SSR: Replaced hardcoded { path: '/' } with cookiesLib.getDefaultAttributes() in addressFormat, appProfile, colorTheme, poorReputationTokens, and scamTokens middlewares. In getServerSideProps/handlers.ts, the UUID Set-Cookie header now includes Path=/ and Secure when protocol is HTTPS.

No new or changed environment variables.

Breaking or Incompatible Changes

None.

Additional Information

N/A

Checklist for PR author

• I have tested these changes locally.
• I added tests to cover any new functionality, following this guide
• Whenever I fix a bug, I include a regression test to ensure that the bug does not reappear silently.
• If I have added a feature or functionality that is not privacy-compliant (e.g., tracking, analytics, third-party services), I have disabled it for private mode.
• If I have added, changed, renamed, or removed an environment variable
  • I updated the list of environment variables in the documentation
  • I made the necessary changes to the validator script according to the guide
  • I added "ENVs" label to this pull request

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. To trigger a review, include @coderabbitai review in the PR description. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

lib/cookies.ts (1)

44-47: Add explicit return type annotation.

Per coding guidelines, top-level module functions should declare their return types. Consider adding a type annotation for clarity and maintainability.

Proposed fix

-export const getDefaultAttributes = () => ({
+export const getDefaultAttributes = (): Cookies.CookieAttributes => ({
   path: '/',
   secure: config.app.protocol === 'https',
 });

As per coding guidelines: "When declaring functions on the top-level of a module, declare their return types."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/cookies.ts` around lines 44 - 47, Update the top-level function
getDefaultAttributes to include an explicit return type annotation (e.g., : {
path: string; secure: boolean }) instead of relying on type inference; modify
the function signature for getDefaultAttributes to declare that it returns an
object with path: string and secure: boolean so the intent and shape are
explicit and adhere to the module-level typing guideline.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@nextjs/getServerSideProps/handlers.ts`:
- Line 45: The manual Set-Cookie construction at res.setHeader using
cookies.NAMES.UUID and config.app.protocol can emit trailing semicolons/spaces
and diverges from the middleware's getDefaultAttributes behavior; replace this
manual header build by using the shared cookie-attribute helper (either call
cookiesLib.getDefaultAttributes() or add a helper in lib/cookies.ts that returns
a Set-Cookie string for a name/value using the same defaults) and use that
helper to set the cookie for UUID so attributes (Secure, SameSite, Path, etc.)
are consistent and no trailing characters are produced.

In `@nextjs/middlewares/appProfile.ts`:
- Around line 16-18: The cookie is set using res.cookies.set with attributes
from cookiesLib.getDefaultAttributes() but deleted without attributes, which can
prevent proper removal; update the deletion to pass the same attributes so the
name and path match (i.e., call res.cookies.delete with
cookiesLib.NAMES.APP_PROFILE and cookiesLib.getDefaultAttributes()) and ensure
you reference the same attributes used when setting the cookie
(cookiesLib.getDefaultAttributes()) alongside the existing res.cookies.set and
PRIVATE_PROFILE_VALUE usage.

---

Nitpick comments:
In `@lib/cookies.ts`:
- Around line 44-47: Update the top-level function getDefaultAttributes to
include an explicit return type annotation (e.g., : { path: string; secure:
boolean }) instead of relying on type inference; modify the function signature
for getDefaultAttributes to declare that it returns an object with path: string
and secure: boolean so the intent and shape are explicit and adhere to the
module-level typing guideline.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 67ce6ae and 9d8c84f.

📒 Files selected for processing (8)

• configs/app/app.ts
• lib/cookies.ts
• nextjs/getServerSideProps/handlers.ts
• nextjs/middlewares/addressFormat.ts
• nextjs/middlewares/appProfile.ts
• nextjs/middlewares/colorTheme.ts
• nextjs/middlewares/poorReputationTokens.ts
• nextjs/middlewares/scamTokens.ts