Skip to content

fix(auth): hardcode secure cookie flag for production (AF-6)#306

Merged
St0rmz1 merged 1 commit intomainfrom
fix/af6-hardcode-secure-cookie
Feb 18, 2026
Merged

fix(auth): hardcode secure cookie flag for production (AF-6)#306
St0rmz1 merged 1 commit intomainfrom
fix/af6-hardcode-secure-cookie

Conversation

@St0rmz1
Copy link
Contributor

@St0rmz1 St0rmz1 commented Feb 17, 2026

The old code checked if the request URL was https: to decide the Secure flag. That works in production (always behind Cloudflare, always HTTPS), but it's fragile because it relies on the request protocol rather than an explicit environment signal.

The new code uses WORKER_ENV !== 'development' — so the cookie is Secure in every environment except local dev. This means:

  • Production (WORKER_ENV = 'production' or any non-'development' value): secure: true
  • Local dev (WORKER_ENV = 'development'): secure: false (so HTTP still works locally)

This matches how the rest of kiloclaw already uses WORKER_ENV for environment detection (e.g., the dev- prefix logic in kiloclaw-app.ts:100).

The practical difference is small — production behavior is identical. It just removes the dependency on protocol sniffing, which AF-6 flagged as potentially risky if the worker ever received a non-HTTPS request in production.

@St0rmz1
fix(auth): hardcode secure cookie flag for production (AF-6)
8e3671c 
The old code checked if the request URL was https: to decide the Secure flag. That works in production (always behind Cloudflare, always HTTPS), but it's fragile because it relies on the request protocol rather than an explicit environment signal.

The new code uses WORKER_ENV !== 'development' — so the cookie is Secure in
every environment except local dev. This means:

- Production (WORKER_ENV = 'production' or any non-'development' value): secure: true
- Local dev (WORKER_ENV = 'development'): secure: false (so HTTP still works locally)

This matches how the rest of kiloclaw already uses WORKER_ENV for environment detection (e.g., the dev- prefix logic in kiloclaw-app.ts:100).

The practical difference is small — production behavior is identical. It just removes the dependency on protocol sniffing, which AF-6 flagged as potentially risky if the worker ever received a non-HTTPS request in production.
@St0rmz1 St0rmz1 marked this pull request as ready for review February 17, 2026 23:55
@kiloconnect
Copy link
Contributor

kiloconnect bot commented Feb 17, 2026

Code Review Summary

Status: No Issues Found | Recommendation: Merge

The change replaces protocol-based secure cookie detection (new URL(c.req.url).protocol === 'https:') with an environment-based check (c.env.WORKER_ENV !== 'development'). This is a sound improvement — it avoids relying on the request URL protocol, which can be unreliable behind reverse proxies or load balancers, and instead uses the explicit environment configuration.

Files Reviewed (1 file)
  • kiloclaw/src/routes/access-gateway.ts

@St0rmz1 St0rmz1 merged commit 29907e3 into main Feb 18, 2026
12 checks passed
@St0rmz1 St0rmz1 deleted the fix/af6-hardcode-secure-cookie branch February 18, 2026 04:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pandemicsyn pandemicsyn pandemicsyn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@St0rmz1 @pandemicsyn

Comments