Skip to content

Add "Secure" flag to all cookies #3301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tom2drum merged 2 commits into from
Feb 26, 2026
Merged

Add "Secure" flag to all cookies #3301

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9d8c84f
Add "Secure" flag to all cookies
tom2drum Feb 26, 2026
0b0a22c
more fixes
tom2drum Feb 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion configs/app/app.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ const app = Object.freeze({
isDev,
isReview,
isPw,
protocol: appSchema,
protocol: appSchema || 'https',
host: appHost,
port: appPort,
baseUrl,
Expand Down
12 changes: 8 additions & 4 deletions lib/cookies.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import Cookies from 'js-cookie';

import config from 'configs/app';
import { isBrowser } from 'toolkit/utils/isBrowser';

/**
Expand Down Expand Up @@ -40,6 +41,11 @@ export const PRIVATE_MODE_DISALLOWED: ReadonlyArray<NAMES> = [
NAMES.MIXPANEL_DEBUG,
];

export const getDefaultAttributes = () => ({
path: '/',
secure: config.app.protocol === 'https',
});

export function get(name?: NAMES | undefined | null, serverCookie?: string) {
if (!isBrowser()) {
return serverCookie ? getFromCookieString(serverCookie, name) : undefined;
Expand Down Expand Up @@ -72,13 +78,11 @@ export function set(name: NAMES, value: string, attributes: Cookies.CookieAttrib
return;
}

attributes.path = '/';

return Cookies.set(name, value, attributes);
return Cookies.set(name, value, { ...getDefaultAttributes(), ...attributes });
}

export function remove(name: NAMES, attributes: Cookies.CookieAttributes = {}) {
return Cookies.remove(name, attributes);
return Cookies.remove(name, { ...getDefaultAttributes(), ...attributes });
}

export function getFromCookieString(cookieString: string, name?: NAMES | undefined | null) {
Expand Down
2 changes: 1 addition & 1 deletion nextjs/getServerSideProps/handlers.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ Promise<GetServerSidePropsResult<Props<Pathname>>> => {
let uuid = cookies.getFromCookieString(req.headers.cookie || '', cookies.NAMES.UUID);
if (!uuid && appProfile !== 'private') {
uuid = crypto.randomUUID();
res.setHeader('Set-Cookie', `${ cookies.NAMES.UUID }=${ uuid }`);
res.setHeader('Set-Cookie', `${ cookies.NAMES.UUID }=${ uuid }; Path=/${ config.app.protocol === 'https' ? '; Secure' : '' }`);
}

const isTrackingDisabled = process.env.DISABLE_TRACKING === 'true' || appProfile === 'private';
Expand Down
4 changes: 2 additions & 2 deletions nextjs/middlewares/addressFormat.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,9 @@ export default function addressFormatMiddleware(req: NextRequest, res: NextRespo
if (addressFormatCookie) {
const isValidCookie = config.UI.views.address.hashFormat.availableFormats.includes(addressFormatCookie.value as AddressFormat);
if (!isValidCookie) {
res.cookies.set(cookiesLib.NAMES.ADDRESS_FORMAT, defaultFormat, { path: '/' });
res.cookies.set(cookiesLib.NAMES.ADDRESS_FORMAT, defaultFormat, cookiesLib.getDefaultAttributes());
}
} else {
res.cookies.set(cookiesLib.NAMES.ADDRESS_FORMAT, defaultFormat, { path: '/' });
res.cookies.set(cookiesLib.NAMES.ADDRESS_FORMAT, defaultFormat, cookiesLib.getDefaultAttributes());
}
}
7 changes: 5 additions & 2 deletions nextjs/middlewares/appProfile.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,11 @@ export default function appProfileMiddleware(req: NextRequest, res: NextResponse

const profileValue = headerValue || queryValue;
if (profileValue === PRIVATE_PROFILE_VALUE) {
res.cookies.set(cookiesLib.NAMES.APP_PROFILE, PRIVATE_PROFILE_VALUE, { path: '/' });
res.cookies.set(cookiesLib.NAMES.APP_PROFILE, PRIVATE_PROFILE_VALUE, cookiesLib.getDefaultAttributes());
} else {
res.cookies.delete(cookiesLib.NAMES.APP_PROFILE);
res.cookies.delete({
name: cookiesLib.NAMES.APP_PROFILE,
...cookiesLib.getDefaultAttributes(),
});
}
}
4 changes: 2 additions & 2 deletions nextjs/middlewares/colorTheme.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ export default function colorThemeMiddleware(req: NextRequest, res: NextResponse

if (!colorModeCookie) {
if (appConfig.UI.colorTheme.default) {
res.cookies.set(cookiesLib.NAMES.COLOR_MODE, appConfig.UI.colorTheme.default.colorMode, { path: '/' });
res.cookies.set(cookiesLib.NAMES.COLOR_THEME, appConfig.UI.colorTheme.default.id, { path: '/' });
res.cookies.set(cookiesLib.NAMES.COLOR_MODE, appConfig.UI.colorTheme.default.colorMode, cookiesLib.getDefaultAttributes());
res.cookies.set(cookiesLib.NAMES.COLOR_THEME, appConfig.UI.colorTheme.default.id, cookiesLib.getDefaultAttributes());
}
}
}
2 changes: 1 addition & 1 deletion nextjs/middlewares/poorReputationTokens.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ export default function poorReputationTokensMiddleware(req: NextRequest, res: Ne
const showPoorReputationTokensCookie = req.cookies.get(cookiesLib.NAMES.SHOW_POOR_REPUTATION_TOKENS);

if (!showPoorReputationTokensCookie) {
res.cookies.set(cookiesLib.NAMES.SHOW_POOR_REPUTATION_TOKENS, 'false', { path: '/' });
res.cookies.set(cookiesLib.NAMES.SHOW_POOR_REPUTATION_TOKENS, 'false', cookiesLib.getDefaultAttributes());
}
}
}
2 changes: 1 addition & 1 deletion nextjs/middlewares/scamTokens.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ export default function scamTokensMiddleware(req: NextRequest, res: NextResponse
const showScamTokensCookie = req.cookies.get(cookiesLib.NAMES.SHOW_SCAM_TOKENS);

if (!showScamTokensCookie) {
res.cookies.set(cookiesLib.NAMES.SHOW_SCAM_TOKENS, 'false', { path: '/' });
res.cookies.set(cookiesLib.NAMES.SHOW_SCAM_TOKENS, 'false', cookiesLib.getDefaultAttributes());
}
}
}
Loading