Potential fix for code scanning alert no. 4: Clear text transmission of sensitive cookie

[Code-lab-web]

Potential fix for https://github.com/Code-lab-web/project-final/security/code-scanning/4

In general, to fix this issue you must configure the session cookie to have secure: true so it is only sent over HTTPS, and ideally also set httpOnly: true (not directly related to this finding but a best practice). When running behind a reverse proxy that terminates TLS, Express also needs app.set('trust proxy', 1) so that express-session respects cookie.secure even though the direct connection to Node is HTTP.

The best fix here is to update each app.use(session({ ... })) call in backend/app.js to include a cookie field with secure: true and httpOnly: true, and to ensure app.set('trust proxy', 1) is configured once after creating the Express app. We must not change existing functionality apart from tightening cookie security, so we will keep all existing options (secret, resave, saveUninitialized, store) unchanged. The file contains three separate session initializations (lines 28–33, 63–68, 95–100); all three should be updated consistently. No new imports are required; we only adjust the configuration object and add the trust proxy setting.

Concretely:

• After var app = express(); (first definition, line 14) add app.set('trust proxy', 1);.
• Modify the session config starting at line 28 to:

  app.use(session({
    secret: 'keyboard cat',
    resave: false,
    saveUninitialized: false,
    store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' }),
    cookie: {
      secure: true,
      httpOnly: true
    }
  }));

• Apply the same cookie block to the session configs at lines 63–68 and 95–100.
  We leave the rest of the code unchanged.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview