feat: env-driven Secure flag on portal session cookie

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-16 00:16:54 +00:00
parent 01180d5725
commit 20f62a5c0a
4 changed files with 23 additions and 4 deletions
@@ -39,6 +39,9 @@ if SECRET_KEY == "dev-insecure-change-me":

 COOKIE_NAME = "portal_session"
 COOKIE_MAX_AGE = 60 * 60 * 24 * 30  # 30 days
+# Set COOKIE_SECURE=true once the portal is served over HTTPS (TLS terminates at
+# the Synology reverse proxy). Default false so plain-HTTP dev still works.
+COOKIE_SECURE = os.getenv("COOKIE_SECURE", "false").lower() in ("1", "true", "yes")


 class PortalAuthError(Exception):