Add "Secure" flag to all cookies

tom2drum · tom2drum · commit 9d8c84fcb23f · 2026-02-26T11:25:51.000+01:00
Resolves #3296
diff --git a/configs/app/app.ts b/configs/app/app.ts
@@ -21,7 +21,7 @@ const app = Object.freeze({
   isDev,
   isReview,
   isPw,
-  protocol: appSchema,
+  protocol: appSchema || 'https',
   host: appHost,
   port: appPort,
   baseUrl,
diff --git a/lib/cookies.ts b/lib/cookies.ts
@@ -1,5 +1,6 @@
 import Cookies from 'js-cookie';
 
+import config from 'configs/app';
 import { isBrowser } from 'toolkit/utils/isBrowser';
 
 /**
@@ -40,6 +41,11 @@ export const PRIVATE_MODE_DISALLOWED: ReadonlyArray<NAMES> = [
   NAMES.MIXPANEL_DEBUG,
 ];
 
+export const getDefaultAttributes = () => ({
+  path: '/',
+  secure: config.app.protocol === 'https',
+});
+
 export function get(name?: NAMES | undefined | null, serverCookie?: string) {
   if (!isBrowser()) {
     return serverCookie ? getFromCookieString(serverCookie, name) : undefined;
@@ -72,13 +78,11 @@ export function set(name: NAMES, value: string, attributes: Cookies.CookieAttrib
     return;
   }
 
-  attributes.path = '/';
-
-  return Cookies.set(name, value, attributes);
+  return Cookies.set(name, value, { ...getDefaultAttributes(), ...attributes });
 }
 
 export function remove(name: NAMES, attributes: Cookies.CookieAttributes = {}) {
-  return Cookies.remove(name, attributes);
+  return Cookies.remove(name, { ...getDefaultAttributes(), ...attributes });
 }
 
 export function getFromCookieString(cookieString: string, name?: NAMES | undefined | null) {
diff --git a/nextjs/getServerSideProps/handlers.ts b/nextjs/getServerSideProps/handlers.ts
@@ -42,7 +42,7 @@ Promise<GetServerSidePropsResult<Props<Pathname>>> => {
   let uuid = cookies.getFromCookieString(req.headers.cookie || '', cookies.NAMES.UUID);
   if (!uuid && appProfile !== 'private') {
     uuid = crypto.randomUUID();
-    res.setHeader('Set-Cookie', `${ cookies.NAMES.UUID }=${ uuid }`);
+    res.setHeader('Set-Cookie', `${ cookies.NAMES.UUID }=${ uuid }; Path=/; ${ config.app.protocol === 'https' ? 'Secure' : '' }`);
   }
 
   const isTrackingDisabled = process.env.DISABLE_TRACKING === 'true' || appProfile === 'private';
diff --git a/nextjs/middlewares/addressFormat.ts b/nextjs/middlewares/addressFormat.ts
@@ -12,9 +12,9 @@ export default function addressFormatMiddleware(req: NextRequest, res: NextRespo
   if (addressFormatCookie) {
     const isValidCookie = config.UI.views.address.hashFormat.availableFormats.includes(addressFormatCookie.value as AddressFormat);
     if (!isValidCookie) {
-      res.cookies.set(cookiesLib.NAMES.ADDRESS_FORMAT, defaultFormat, { path: '/' });
+      res.cookies.set(cookiesLib.NAMES.ADDRESS_FORMAT, defaultFormat, cookiesLib.getDefaultAttributes());
     }
   } else {
-    res.cookies.set(cookiesLib.NAMES.ADDRESS_FORMAT, defaultFormat, { path: '/' });
+    res.cookies.set(cookiesLib.NAMES.ADDRESS_FORMAT, defaultFormat, cookiesLib.getDefaultAttributes());
   }
 }
diff --git a/nextjs/middlewares/appProfile.ts b/nextjs/middlewares/appProfile.ts
@@ -13,7 +13,7 @@ export default function appProfileMiddleware(req: NextRequest, res: NextResponse
 
   const profileValue = headerValue || queryValue;
   if (profileValue === PRIVATE_PROFILE_VALUE) {
-    res.cookies.set(cookiesLib.NAMES.APP_PROFILE, PRIVATE_PROFILE_VALUE, { path: '/' });
+    res.cookies.set(cookiesLib.NAMES.APP_PROFILE, PRIVATE_PROFILE_VALUE, cookiesLib.getDefaultAttributes());
   } else {
     res.cookies.delete(cookiesLib.NAMES.APP_PROFILE);
   }
diff --git a/nextjs/middlewares/colorTheme.ts b/nextjs/middlewares/colorTheme.ts
@@ -8,8 +8,8 @@ export default function colorThemeMiddleware(req: NextRequest, res: NextResponse
 
   if (!colorModeCookie) {
     if (appConfig.UI.colorTheme.default) {
-      res.cookies.set(cookiesLib.NAMES.COLOR_MODE, appConfig.UI.colorTheme.default.colorMode, { path: '/' });
-      res.cookies.set(cookiesLib.NAMES.COLOR_THEME, appConfig.UI.colorTheme.default.id, { path: '/' });
+      res.cookies.set(cookiesLib.NAMES.COLOR_MODE, appConfig.UI.colorTheme.default.colorMode, cookiesLib.getDefaultAttributes());
+      res.cookies.set(cookiesLib.NAMES.COLOR_THEME, appConfig.UI.colorTheme.default.id, cookiesLib.getDefaultAttributes());
     }
   }
 }
diff --git a/nextjs/middlewares/poorReputationTokens.ts b/nextjs/middlewares/poorReputationTokens.ts
@@ -8,7 +8,7 @@ export default function poorReputationTokensMiddleware(req: NextRequest, res: Ne
     const showPoorReputationTokensCookie = req.cookies.get(cookiesLib.NAMES.SHOW_POOR_REPUTATION_TOKENS);
 
     if (!showPoorReputationTokensCookie) {
-      res.cookies.set(cookiesLib.NAMES.SHOW_POOR_REPUTATION_TOKENS, 'false', { path: '/' });
+      res.cookies.set(cookiesLib.NAMES.SHOW_POOR_REPUTATION_TOKENS, 'false', cookiesLib.getDefaultAttributes());
     }
   }
 }
diff --git a/nextjs/middlewares/scamTokens.ts b/nextjs/middlewares/scamTokens.ts
@@ -8,7 +8,7 @@ export default function scamTokensMiddleware(req: NextRequest, res: NextResponse
     const showScamTokensCookie = req.cookies.get(cookiesLib.NAMES.SHOW_SCAM_TOKENS);
 
     if (!showScamTokensCookie) {
-      res.cookies.set(cookiesLib.NAMES.SHOW_SCAM_TOKENS, 'false', { path: '/' });
+      res.cookies.set(cookiesLib.NAMES.SHOW_SCAM_TOKENS, 'false', cookiesLib.getDefaultAttributes());
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ Promise<GetServerSidePropsResult<Props<Pathname>>> => {`
`42`	`42`	`let uuid = cookies.getFromCookieString(req.headers.cookie \|\| '', cookies.NAMES.UUID);`
`43`	`43`	`if (!uuid && appProfile !== 'private') {`
`44`	`44`	`uuid = crypto.randomUUID();`
`45`		- res.setHeader('Set-Cookie', `${ cookies.NAMES.UUID }=${ uuid }`);
	`45`	+ res.setHeader('Set-Cookie', `${ cookies.NAMES.UUID }=${ uuid }; Path=/; ${ config.app.protocol === 'https' ? 'Secure' : '' }`);
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`const isTrackingDisabled = process.env.DISABLE_TRACKING === 'true' \|\| appProfile === 'private';`
Original file line number	Diff line number	Diff line change
`@@ -12,9 +12,9 @@ export default function addressFormatMiddleware(req: NextRequest, res: NextRespo`
`12`	`12`	`if (addressFormatCookie) {`
`13`	`13`	`const isValidCookie = config.UI.views.address.hashFormat.availableFormats.includes(addressFormatCookie.value as AddressFormat);`
`14`	`14`	`if (!isValidCookie) {`
`15`		`- res.cookies.set(cookiesLib.NAMES.ADDRESS_FORMAT, defaultFormat, { path: '/' });`
	`15`	`+ res.cookies.set(cookiesLib.NAMES.ADDRESS_FORMAT, defaultFormat, cookiesLib.getDefaultAttributes());`
`16`	`16`	`}`
`17`	`17`	`} else {`
`18`		`- res.cookies.set(cookiesLib.NAMES.ADDRESS_FORMAT, defaultFormat, { path: '/' });`
	`18`	`+ res.cookies.set(cookiesLib.NAMES.ADDRESS_FORMAT, defaultFormat, cookiesLib.getDefaultAttributes());`
`19`	`19`	`}`
`20`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ export default function appProfileMiddleware(req: NextRequest, res: NextResponse`
`13`	`13`
`14`	`14`	`const profileValue = headerValue \|\| queryValue;`
`15`	`15`	`if (profileValue === PRIVATE_PROFILE_VALUE) {`
`16`		`- res.cookies.set(cookiesLib.NAMES.APP_PROFILE, PRIVATE_PROFILE_VALUE, { path: '/' });`
	`16`	`+ res.cookies.set(cookiesLib.NAMES.APP_PROFILE, PRIVATE_PROFILE_VALUE, cookiesLib.getDefaultAttributes());`
`17`	`17`	`} else {`
`18`	`18`	`res.cookies.delete(cookiesLib.NAMES.APP_PROFILE);`
`19`	`19`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,8 +8,8 @@ export default function colorThemeMiddleware(req: NextRequest, res: NextResponse`
`8`	`8`
`9`	`9`	`if (!colorModeCookie) {`
`10`	`10`	`if (appConfig.UI.colorTheme.default) {`
`11`		`- res.cookies.set(cookiesLib.NAMES.COLOR_MODE, appConfig.UI.colorTheme.default.colorMode, { path: '/' });`
`12`		`- res.cookies.set(cookiesLib.NAMES.COLOR_THEME, appConfig.UI.colorTheme.default.id, { path: '/' });`
	`11`	`+ res.cookies.set(cookiesLib.NAMES.COLOR_MODE, appConfig.UI.colorTheme.default.colorMode, cookiesLib.getDefaultAttributes());`
	`12`	`+ res.cookies.set(cookiesLib.NAMES.COLOR_THEME, appConfig.UI.colorTheme.default.id, cookiesLib.getDefaultAttributes());`
`13`	`13`	`}`
`14`	`14`	`}`
`15`	`15`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ export default function poorReputationTokensMiddleware(req: NextRequest, res: Ne`
`8`	`8`	`const showPoorReputationTokensCookie = req.cookies.get(cookiesLib.NAMES.SHOW_POOR_REPUTATION_TOKENS);`
`9`	`9`
`10`	`10`	`if (!showPoorReputationTokensCookie) {`
`11`		`- res.cookies.set(cookiesLib.NAMES.SHOW_POOR_REPUTATION_TOKENS, 'false', { path: '/' });`
	`11`	`+ res.cookies.set(cookiesLib.NAMES.SHOW_POOR_REPUTATION_TOKENS, 'false', cookiesLib.getDefaultAttributes());`
`12`	`12`	`}`
`13`	`13`	`}`
`14`	`14`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ export default function scamTokensMiddleware(req: NextRequest, res: NextResponse`
`8`	`8`	`const showScamTokensCookie = req.cookies.get(cookiesLib.NAMES.SHOW_SCAM_TOKENS);`
`9`	`9`
`10`	`10`	`if (!showScamTokensCookie) {`
`11`		`- res.cookies.set(cookiesLib.NAMES.SHOW_SCAM_TOKENS, 'false', { path: '/' });`
	`11`	`+ res.cookies.set(cookiesLib.NAMES.SHOW_SCAM_TOKENS, 'false', cookiesLib.getDefaultAttributes());`
`12`	`12`	`}`
`13`	`13`	`}`
`14`	`14`	`}`