sami7777/dashcaddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix CSRF cookie Secure flag for localhost development

Browse Source 
- Changed hardcoded secure:true to req.secure || req.protocol === 'https'
- Allows CSRF cookies to work over HTTP on localhost
- Still enforces secure flag for HTTPS connections
- Enables OpenClaw programmatic API access
This commit is contained in:
root
2026-03-13 05:30:09 +01:00
parent 0f4bd419e1
commit 4131c3c6f6
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
dashcaddy-api/csrf-protection.js
View File

@@ -65,7 +65,7 @@ function csrfCookieMiddleware(req, res, next) {
// Set cookie with the nonce (SameSite=Strict for additional protection) // Set cookie with the nonce (SameSite=Strict for additional protection)
res.cookie(CSRF_COOKIE_NAME, csrfNonce, { res.cookie(CSRF_COOKIE_NAME, csrfNonce, {
httpOnly: false, // Must be readable by JavaScript for signing httpOnly: false, // Must be readable by JavaScript for signing
secure: true, secure: req.secure || req.protocol === 'https', // Only secure in HTTPS
sameSite: 'strict', sameSite: 'strict',
path: '/', path: '/',
maxAge: 24 * 60 * 60 * 1000 // 24 hours maxAge: 24 * 60 * 60 * 1000 // 24 hours