Merge pull request #463 from zitadel/qa

fix: enfore secure cookie for production environments
2025-08-12 17:37:32 +00:00 · 2025-05-19 17:05:40 +02:00
parent a4d703362f 29eeef798a
commit 276ec4015d
2 changed files with 4 additions and 2 deletions
--- a/apps/login/src/lib/cookies.ts
+++ b/apps/login/src/lib/cookies.ts
@@ -31,7 +31,8 @@ async function setSessionHttpOnlyCookie<T>(
    value: JSON.stringify(sessions),
    httpOnly: true,
    path: "/",
-    sameSite,
+    sameSite: process.env.NODE_ENV === "production" ? sameSite : "lax",
+    secure: process.env.NODE_ENV === "production",
  });
 }

--- a/turbo.json
+++ b/turbo.json
@@ -12,7 +12,8 @@
    "ZITADEL_API_URL",
    "ZITADEL_SERVICE_USER_TOKEN",
    "NEXT_PUBLIC_BASE_PATH",
-    "CUSTOM_REQUEST_HEADERS"
+    "CUSTOM_REQUEST_HEADERS",
+    "NODE_ENV"
  ],
  "tasks": {
    "generate": {