Skip to content

http: add Secure flag to TXID cookie#447

Open
TanayK07 wants to merge 1 commit into
superfly:mainfrom
TanayK07:fix/cookie-secure-flag
Open

http: add Secure flag to TXID cookie#447
TanayK07 wants to merge 1 commit into
superfly:mainfrom
TanayK07:fix/cookie-secure-flag

Conversation

@TanayK07

@TanayK07 TanayK07 commented Mar 5, 2026

Copy link
Copy Markdown

The __txid cookie was being set without the Secure flag, allowing it to be transmitted over unencrypted connections. Since LiteFS typically runs behind a TLS-terminating reverse proxy, default SecureCookie to true so the cookie is only sent over HTTPS.

A "secure-cookie" option is added to the proxy YAML config so that users running local development without TLS can explicitly disable it.

Fixes #440

@TanayK07
http: add Secure flag to TXID cookie
ceb89df 
The __txid cookie was being set without the Secure flag, allowing it
to be transmitted over unencrypted connections. Since LiteFS typically
runs behind a TLS-terminating reverse proxy, default SecureCookie to
true so the cookie is only sent over HTTPS.

A "secure-cookie" option is added to the proxy YAML config so that
users running local development without TLS can explicitly disable it.

Fixes superfly#440
@TanayK07

TanayK07 commented Jun 14, 2026

Copy link
Copy Markdown
Author

hey @benbjohnson sorry to bug you, any chance of a quick look at this one? its a small security fix (12 lines) for the missing Secure flag on the __txid cookie, fixes #440. we run litefs at work so happy to adjust if anything needs changeing. thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

__txid cookie is missing secure flag

1 participant

@TanayK07