From 4131c3c6f654f248718f107d1e1b872a8a741f9d Mon Sep 17 00:00:00 2001
From: root <root@vmi3080415.contaboserver.net>
Date: Fri, 13 Mar 2026 05:30:09 +0100
Subject: [PATCH] Fix CSRF cookie Secure flag for localhost development

- Changed hardcoded secure:true to req.secure || req.protocol === 'https'
- Allows CSRF cookies to work over HTTP on localhost
- Still enforces secure flag for HTTPS connections
- Enables OpenClaw programmatic API access
---
 dashcaddy-api/csrf-protection.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dashcaddy-api/csrf-protection.js b/dashcaddy-api/csrf-protection.js
index 9462467..2e7661b 100644
--- a/dashcaddy-api/csrf-protection.js
+++ b/dashcaddy-api/csrf-protection.js
@@ -65,7 +65,7 @@ function csrfCookieMiddleware(req, res, next) {
   // Set cookie with the nonce (SameSite=Strict for additional protection)
   res.cookie(CSRF_COOKIE_NAME, csrfNonce, {
     httpOnly: false, // Must be readable by JavaScript for signing
-    secure: true,
+    secure: req.secure || req.protocol === 'https', // Only secure in HTTPS
     sameSite: 'strict',
     path: '/',
     maxAge: 24 * 60 * 60 * 1000 // 24 hours