fix(auth): warn at startup when Secure cookies will break plain-HTTP LAN login
NODE_ENV=production enables the Secure flag on session cookies. Browsers silently drop Secure cookies over plain HTTP, causing login to fail with no visible error when HOST=0.0.0.0 is used on a LAN without HTTPS. - Add startup warning in server-entry.js when non-loopback host + production + COOKIE_SECURE not explicitly disabled - Document COOKIE_SECURE=0 in .env.example alongside the existing =1 case - Add COOKIE_SECURE entry to README env-vars table Closes #149 Worked with Interstellar Code (cherry picked from commit d88d899481871f2d9ac5d01f5c318f668d1e6873)
This commit is contained in:
committed by
Aurora release bot
parent
573e7cb83c
commit
6ed37d2d9a
@@ -565,6 +565,7 @@ Features pending cloud infrastructure:
|
||||
|
||||
- `CLAUDE_PASSWORD` — required whenever `HOST ≠ 127.0.0.1`
|
||||
- `COOKIE_SECURE=1` — force the `Secure` cookie flag when terminating HTTPS at a proxy
|
||||
- `COOKIE_SECURE=0` — disable the `Secure` flag for plain-HTTP LAN deployments (`HOST=0.0.0.0` without HTTPS); without this, browsers silently drop session cookies and login fails (#149)
|
||||
- `TRUST_PROXY=1` — trust `x-forwarded-for` / `x-real-ip` (only set behind a sanitizing reverse proxy)
|
||||
- `HERMES_DASHBOARD_TOKEN` — explicit bearer for dashboard API (preferred over the legacy HTML-scrape fallback)
|
||||
- `CLAUDE_ALLOW_INSECURE_REMOTE=1` — bypass the fail-closed guard (not recommended)
|
||||
|
||||
Reference in New Issue
Block a user