From dd2eba59b2d3c016f11dfce1fff3220030246091 Mon Sep 17 00:00:00 2001
From: Amir Raminfar <findamir@gmail.com>
Date: Sun, 24 May 2026 16:52:44 -0700
Subject: [PATCH] fix: set Secure flag on jwt cookie when request is HTTPS
 (#4740)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 internal/web/auth.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/internal/web/auth.go b/internal/web/auth.go
index 83d96def..98850d94 100644
--- a/internal/web/auth.go
+++ b/internal/web/auth.go
@@ -2,6 +2,7 @@ package web
 
 import (
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/rs/zerolog/log"
@@ -23,6 +24,7 @@ func (h *handler) createToken(w http.ResponseWriter, r *http.Request) {
 			HttpOnly: true,
 			Path:     "/",
 			SameSite: http.SameSiteLaxMode,
+			Secure:   isHTTPS(r),
 			Expires:  expires,
 		})
 		log.Info().Str("user", user).Msg("Token created")
@@ -41,8 +43,18 @@ func (h *handler) deleteToken(w http.ResponseWriter, r *http.Request) {
 		HttpOnly: true,
 		Path:     "/",
 		SameSite: http.SameSiteLaxMode,
+		Secure:   isHTTPS(r),
 		Expires:  time.Unix(0, 0),
 	})
 	w.WriteHeader(http.StatusOK)
 	w.Write([]byte(http.StatusText(http.StatusOK)))
 }
+
+// isHTTPS reports whether the original client request used HTTPS, accounting
+// for TLS terminated at an upstream reverse proxy via X-Forwarded-Proto.
+func isHTTPS(r *http.Request) bool {
+	if r.TLS != nil {
+		return true
+	}
+	return strings.EqualFold(r.Header.Get("X-Forwarded-Proto"), "https")
+}