From 737fbca027d423fa2d9b2c718b23a97f8c100017 Mon Sep 17 00:00:00 2001
From: Code-lab-web <145796632+Code-lab-web@users.noreply.github.com>
Date: Mon, 16 Feb 2026 17:37:14 +0100
Subject: [PATCH] Potential fix for code scanning alert no. 4: Clear text
 transmission of sensitive cookie

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 backend/app.js | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/backend/app.js b/backend/app.js
index db017e7dea..69973bafbf 100644
--- a/backend/app.js
+++ b/backend/app.js
@@ -12,6 +12,7 @@ var indexRouter = require('./routes/index');
 var authRouter = require('./routes/auth');
 
 var app = express();
+app.set('trust proxy', 1);
 
 app.locals.pluralize = require('pluralize');
 
@@ -29,7 +30,11 @@ app.use(session({
   secret: 'keyboard cat',
   resave: false,
   saveUninitialized: false,
-  store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' })
+  store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' }),
+  cookie: {
+    secure: true,
+    httpOnly: true
+  }
 }));
 app.use('/', indexRouter);
 app.use('/', authRouter);
@@ -64,7 +69,11 @@ app.use(session({
   secret: 'keyboard cat',
   resave: false,
   saveUninitialized: false,
-  store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' })
+  store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' }),
+  cookie: {
+    secure: true,
+    httpOnly: true
+  }
 }));
 app.use('/', indexRouter);
 app.use('/', authRouter);
@@ -72,7 +81,11 @@ app.use(session({
   secret: 'keyboard cat',
   resave: false,
   saveUninitialized: false,
-  store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' })
+  store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' }),
+  cookie: {
+    secure: true,
+    httpOnly: true
+  }
 }));
 app.use(passport.authenticate('session'));
 // catch 404 and forward to error handler
@@ -96,7 +109,11 @@ app.use(session({
   secret: 'keyboard cat',
   resave: false,
   saveUninitialized: false,
-  store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' })
+  store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' }),
+  cookie: {
+    secure: true,
+    httpOnly: true
+  }
 }));
 app.use(passport.authenticate('session'));
 // catch 404 and forward to error handler