Cannot send secure cookie over unencrypted connection

sivouz · May 30, 2021, 1:31am

System Information

Strapi Version: 3.2.5
Database: PostgreSQL

Hi!

I have a problem with secure httpOnly cookie in production, on localhost it works fine.

My strapi backend is on api.domain.com and my react frontend is on app.domain.com. Both are hosted on DigitalOcean App Platform and CNAME records has been added.
Now I have a login form and then on successful login it should set a secure httpOnly cookie, but instead of that I get an 500 internal server error and in the logs it states:

I don’t understand where or what is the problem?

ctx.cookies.set("token", token, {
            httpOnly: true,
            secure: process.env.NODE_ENV === "production" ? true : false,
            maxAge: 1000 * 60 * 60 * 24 * 14, // 14 Day Age
            domain: process.env.NODE_ENV === "development" ? "localhost" : process.env.APP_DOMAIN,
        });

larsonnn · May 30, 2021, 8:22pm

this is the code from cookies. Are you sure you have NODE_ENV right? Tried manually set to false?

SorinGFS · May 30, 2021, 9:02pm

Did you use a secure https connection? Secure cookie that means, is sent only if connection is over https.

larsonnn · May 30, 2021, 9:10pm

// https://github.com/pillarjs/cookies/blob/master/index.js
 if (!secure && opts && opts.secure) {
    throw new Error('Cannot send secure cookie over unencrypted connection')
  }

this error comes only if you connect through HTTP and have secure set to true.

sivouz · May 30, 2021, 10:34pm

Thanks for your replies.

Both of my sites use HTTPS, yes.

I found out that I had to put this in my strapi configuration:
proxy:true

exposuredesign · June 11, 2021, 6:12pm

I’m having the same issues sivouz. can you post your config file, I’m not quite sure where to put this proxy value and any documentation for it to what it is doing?

Cheers

PHIL

sivouz · June 11, 2021, 6:32pm

Hi!

I put it in the server.js file:

module.exports = ({ env }) => ({
url: env('PUBLIC_URL', ''),
proxy: true,
admin: {
    url: env('PUBLIC_ADMIN_URL', '/'),
    auth: {
        secret: env('ADMIN_JWT_SECRET', ''),
    },
},

});

Found the solution here:

exposuredesign · June 11, 2021, 9:45pm

Great thankyou! All working now.

trangchongcheng · September 9, 2021, 8:01am

What is mean when set:
proxy: true

I have same issue

SorinGFS · September 9, 2021, 4:08pm

That is a koa setting, meaning proxy when true proxy header fields will be trusted. Koa documentation is weak Koa - next generation web framework for node.js

More details you can find at expressjs which is the same: Express behind proxies

DMehaffy · September 10, 2021, 9:53pm

It’s also in our documentation: Configurations | Strapi Documentation

Set the koa variable app.proxy . When true , proxy header fields will be trusted.

gorlaz · September 21, 2021, 10:33pm

I also ran into this issue after following Chris Talke’s Cookie setup docco ( How to put JWT's in server side cookies using the Strapi user-permissions plugin | Christopher Talke | Coffs Harbour based ICT Professional | talke.dev); this setting seems to have fixed it. I’m now getting the cookie in the headers when making a postman request.

It would be great to get ‘send auth as a cookie’ into the base version as an option. I assume I’ll need to patch around the cookie implementation whenever there is an upgrade (sry still new to Strapi - haven’t crossed the update bridge yet)

Qdea · September 27, 2022, 9:07am

It solves my problem, thank you

MHZarei · October 2, 2022, 5:38am

Also you need add this configuration in nginx:
proxy_set_header X-Forwarded-Proto https;

Al_H · January 5, 2023, 9:10am

@MHZarei love you. solved my problem

Khanh_Le · October 11, 2023, 8:54am

thank a lot