From 2856c5ef656f4f2418fbd459d1738f71ccad49fa Mon Sep 17 00:00:00 2001
From: TheFlow <theflow@sydigital.com>
Date: Tue, 14 Oct 2025 15:37:49 +1300
Subject: [PATCH] fix: CSRF cookie secure flag for reverse proxy environments

Check X-Forwarded-Proto header to determine if request is HTTPS
This ensures CSRF cookies work correctly when nginx terminates SSL
---
 src/middleware/csrf-protection.middleware.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/middleware/csrf-protection.middleware.js b/src/middleware/csrf-protection.middleware.js
index 53cc2a55..4da885a1 100644
--- a/src/middleware/csrf-protection.middleware.js
+++ b/src/middleware/csrf-protection.middleware.js
@@ -75,9 +75,12 @@ function setCsrfToken(req, res, next) {
   if (!req.cookies['csrf-token']) {
     const token = generateCsrfToken();
 
+    //Check if we're behind a proxy (X-Forwarded-Proto header)
+    const isSecure = req.secure || req.headers['x-forwarded-proto'] === 'https';
+
     res.cookie('csrf-token', token, {
       httpOnly: true,
-      secure: process.env.NODE_ENV === 'production',
+      secure: isSecure && process.env.NODE_ENV === 'production',
       sameSite: 'strict',
       maxAge: 24 * 60 * 60 * 1000  // 24 hours
     });