Harden session cookie security with configurable cookie flags
This commit is contained in:
@@ -33,6 +33,7 @@ Reference: `Docs/Refactoring.md` for full analysis of each issue.
|
||||
- Hardcoding `secure=False` makes production deployment insecure.
|
||||
- Switching to `secure=True` can break local development unless there is an explicit dev override.
|
||||
- The frontend API may need matching CORS and same-site handling when served from a different origin.
|
||||
- Status: completed — implemented configurable session cookie flags and secure mode support.
|
||||
|
||||
### 4. Address session cache invalidation semantics
|
||||
- Where found: `backend/app/dependencies.py`
|
||||
|
||||
Reference in New Issue
Block a user