fix(security): mark auth cookies Secure outside localhost

The user and logout cookies were set with secure:false, so the AniList tokens the user cookie carries could traverse plaintext HTTP. Drop the override and let SvelteKit's default apply (Secure everywhere except http://localhost), giving Secure in production and on https://due.localhost while keeping plain-http local dev working. httpOnly is unchanged (the client reads the token from layout data; tightening that is tracked separately as the architectural part of C2).
author: Fuwn <[email protected]> 2026-06-01 13:01:06 +0000
committer: Fuwn <[email protected]> 2026-06-01 13:01:06 +0000
commit: 52bcd7cca8da48a62ba52d51ee5a1cf5f0a5f6a5 (patch)
tree: 42c653a09d5fa0de9802f2e5ef9bd62f4a3d98ae /src/routes/api/authentication/log-out/+server.ts
parent: fix(security): escape badge source/designer to close stored XSS (diff)
download: due.moe-52bcd7cca8da48a62ba52d51ee5a1cf5f0a5f6a5.tar.xz
due.moe-52bcd7cca8da48a62ba52d51ee5a1cf5f0a5f6a5.zip
1 files changed, 0 insertions, 1 deletions
diff --git a/src/routes/api/authentication/log-out/+server.ts b/src/routes/api/authentication/log-out/+server.ts
index 8623dfd1..fd5d37bf 100644
--- a/src/routes/api/authentication/log-out/+server.ts
+++ b/src/routes/api/authentication/log-out/+server.ts
@@ -8,7 +8,6 @@ export const GET = ({ cookies }) => {
 		maxAge: 60 * 60 * 24 * 7,
 		httpOnly: false,
 		sameSite: "lax",
-		secure: false,
 	});
 
 	redirect(303, root("/"));
author	Fuwn <[email protected]>	2026-06-01 13:01:06 +0000
committer	Fuwn <[email protected]>	2026-06-01 13:01:06 +0000
commit	52bcd7cca8da48a62ba52d51ee5a1cf5f0a5f6a5 (patch)
tree	42c653a09d5fa0de9802f2e5ef9bd62f4a3d98ae /src/routes/api/authentication/log-out/+server.ts
parent	fix(security): escape badge source/designer to close stored XSS (diff)
download	due.moe-52bcd7cca8da48a62ba52d51ee5a1cf5f0a5f6a5.tar.xz due.moe-52bcd7cca8da48a62ba52d51ee5a1cf5f0a5f6a5.zip