fix(auth): warn at startup when Secure cookies will break plain-HTTP LAN login#281
Merged
outsourc-e merged 1 commit intooutsourc-e:mainfrom May 4, 2026
Conversation
…LAN login NODE_ENV=production enables the Secure flag on session cookies. Browsers silently drop Secure cookies over plain HTTP, causing login to fail with no visible error when HOST=0.0.0.0 is used on a LAN without HTTPS. - Add startup warning in server-entry.js when non-loopback host + production + COOKIE_SECURE not explicitly disabled - Document COOKIE_SECURE=0 in .env.example alongside the existing =1 case - Add COOKIE_SECURE entry to README env-vars table Closes outsourc-e#149 Worked with Interstellar Code
CleanExpo
added a commit
to CleanExpo/hermes-workspace
that referenced
this pull request
May 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
server-entry.jswhen the server is running in production mode with a non-loopback bind address but without HTTPSNODE_ENV=productionenables theSecureflag on session cookies; browsers silently drop Secure cookies over plain HTTP, causing login to fail with no visible error on LAN deploymentsCOOKIE_SECURE=0as the escape hatchWhy
Silent login failure on LAN (
HOST=0.0.0.0) with no error message is a sharp edge that's hard to diagnose. Closes #149.Test plan
NODE_ENV=production HOST=0.0.0.0(noCOOKIE_SECURE=0) — warning appears in logsNODE_ENV=production HOST=0.0.0.0 COOKIE_SECURE=0— no warningHOST=127.0.0.1— no warningWorked with Interstellar Code