How to set secure cookie using heroku + node.js + express?

heroku cookies
set cookie for another domain
express trust proxy
axios set-cookie
express cookie
app set trust proxy loopback
how to set cross domain cookie in javascript
cross domain cookies

I have a node.js app running on the Cedar stack and I'm puzzled why secure cookies don't work.

"express": "3.0.3",
"node": ">=0.8.14",

...
app.use(express.session({
        secret : 'somesecret',
        store : // store works fine, sessions are stored
        key : 'sid',
        cookie : {
            secure : true, // it works without the secure flag (cookie is set)
            proxy : true,  // tried using this as well, no difference
            maxAge: 5184000000 // 2 months
        }
}));
...

On localhost everything works fine, but on heroku I don't seem to be able to set a secure cookie. What am I doing wrong? The docs say the load balancer terminates SSL, is it something to configure over there? thanks a lot


You are correct that Heroku terminates SSL before it reaches your app. That causes express to see non-ssl traffic, and that's likely why it's refusing to set the cookie when running on Heroku.

Heroku sets a X-Forwarded-Proto header with the original protocol. I haven't tested this, but according to the documentation, you have to tell express to respect the information in that header by setting trust proxy as documented here. Additional details found under req.protocol here.

How to set secure cookie using heroku + node.js + express?, That causes express to see non-ssl traffic, and that's likely why it's refusing to set the cookie when running on Heroku. Heroku sets a X-Forwarded-Proto header� If you just specify None without Secure the cookie will be rejected. Secure ensures that the browser request is sent by a secure (HTTPS) connection. Real-world example of the difference between Strict and Lax. The None attribute is pretty understandable; however, there seems to be confusion around Strict and Lax. Let's dive into a real-world


Solution

The problem was that I set proxy: true in the wrong place, it should look like as follows:

...
app.enable('trust proxy'); // optional, not needed for secure cookies
app.use(express.session({
    secret : 'somesecret',
    store : ..., // store works fine, sessions are stored
    key : 'sid',
    proxy : true, // add this when behind a reverse proxy, if you need secure cookies
    cookie : {
        secure : true,
        maxAge: 5184000000 // 2 months
    }
}));
...

Add as well app.enable('trust proxy'); suggested by @friism in case you want to use req.protocol somewhere in the Heroku hosted app.

How to set secure cookie using heroku + node.js + express , I have a nodejs app running on the Cedar stack and Im puzzled why secure cookies dont workexpress 303node gt0814appuseexpresssession When I access the front-end, I can see the Set-Cookie header on the response but it won't set the cookie and there's this warning: This Set-Cookie was blocked because its Domain attribute was invalid with regards to the current host url.


If you're using cookie-session it should look like this:

  app.use require('cookie-session') 
    secret: '<secret>'
    secureProxy: true

Cookies and the Public Suffix List, Note that *.herokuapp.com cookies can currently be set in Internet Explorer, It exists because of security reasons, both to prevent accidentally� Even though we use Heroku's Automated Certificate Management to easily get an SSL certificate for our domains, our overall score is an F, 20/100. We'll walk through each failing test, learn what caused the failure, and try to fix them.


Ten Ways to Secure your Applications, For example, a user may attempt to create an account with a password containing over a thousand characters. When numerous requests like this� Set-Cookie is not working properly after deployed my backend code on heroku, it is working fine in local server. It is sent by server, see the screenshot below Here is my setting for server: res.setHeader('Access-Control-Allow-Origin', '


Can Heroku force an application to use SSL/TLS?, We use cookies to make interactions with our websites and services easy and meaningful, to better understand how Use a package to set this up for your app . The Flask Security Guide encourages the use of flask-talisman to enforce SSL . You can set up your Heroku app in Cloudflare using a secure connection. This process requires configuring two CNAME DNS records and enabling Cloudflare SSL. Overview. Heroku is a cloud PaaS that supports several pre-configured programming languages.


Creating Secure Web Apps: What Every Developer Needs , Secure internet communication is one of the most important issues these days. We use cookies to make interactions with our websites and services easy and Apple requiring iOS apps' API communication to use HTTPS, and Google giving mission is to create a more secure and privacy-respecting Web for everyone. Returns a number representing how long the cookie is valid for, in seconds. If set to < 0, a session cookie is issued. If set to 0, the cookie is deleted. getName() Returns the name of the cookie. Can't be null. getPath() Returns the path from which you can retrieve the cookie. If null or blank, the location is set to root, or