Cannot send secure cookie over unencrypted connection

System Information
  • Strapi Version: 3.2.5
  • Database: PostgreSQL

Hi!

I have a problem with secure httpOnly cookie in production, on localhost it works fine.

My strapi backend is on api.domain.com and my react frontend is on app.domain.com. Both are hosted on DigitalOcean App Platform and CNAME records has been added.
Now I have a login form and then on successful login it should set a secure httpOnly cookie, but instead of that I get an 500 internal server error and in the logs it states:

I don’t understand where or what is the problem?

ctx.cookies.set("token", token, {
            httpOnly: true,
            secure: process.env.NODE_ENV === "production" ? true : false,
            maxAge: 1000 * 60 * 60 * 24 * 14, // 14 Day Age
            domain: process.env.NODE_ENV === "development" ? "localhost" : process.env.APP_DOMAIN,
        });

this is the code from cookies. Are you sure you have NODE_ENV right? Tried manually set to false?

Did you use a secure https connection? Secure cookie that means, is sent only if connection is over https.

// https://github.com/pillarjs/cookies/blob/master/index.js
 if (!secure && opts && opts.secure) {
    throw new Error('Cannot send secure cookie over unencrypted connection')
  }

this error comes only if you connect through HTTP and have secure set to true.

Thanks for your replies.

Both of my sites use HTTPS, yes.

I found out that I had to put this in my strapi configuration:
proxy:true

1 Like

I’m having the same issues sivouz. can you post your config file, I’m not quite sure where to put this proxy value and any documentation for it to what it is doing?

Cheers

PHIL

Hi!

I put it in the server.js file:

module.exports = ({ env }) => ({
url: env('PUBLIC_URL', ''),
proxy: true,
admin: {
    url: env('PUBLIC_ADMIN_URL', '/'),
    auth: {
        secret: env('ADMIN_JWT_SECRET', ''),
    },
},

});

Found the solution here:

Great thankyou! All working now.

What is mean when set:
proxy: true

I have same issue

That is a koa setting, meaning proxy when true proxy header fields will be trusted. Koa documentation is weak Koa - next generation web framework for node.js

More details you can find at expressjs which is the same: Express behind proxies

1 Like

It’s also in our documentation: Configurations - Strapi Developer Documentation

Set the koa variable app.proxy . When true , proxy header fields will be trusted.

1 Like

I also ran into this issue after following Chris Talke’s Cookie setup docco ( How to put JWT's in server side cookies using the Strapi user-permissions plugin | Christopher Talke | Coffs Harbour based ICT Professional | talke.dev); this setting seems to have fixed it. I’m now getting the cookie in the headers when making a postman request.

It would be great to get ‘send auth as a cookie’ into the base version as an option. I assume I’ll need to patch around the cookie implementation whenever there is an upgrade (sry still new to Strapi - haven’t crossed the update bridge yet)