From 9d5d5065f91f35db5daf71496494511478fd389b Mon Sep 17 00:00:00 2001
From: AnyCPU <AnyCPU@users.noreply.github.com>
Date: Mon, 16 Feb 2026 00:09:46 +0200
Subject: [PATCH] Set Secure flag on kamal-writer cookie when TLS is active

---
 internal/server/load_balancer.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/internal/server/load_balancer.go b/internal/server/load_balancer.go
index 6bec9ae..de68fec 100644
--- a/internal/server/load_balancer.go
+++ b/internal/server/load_balancer.go
@@ -179,7 +179,7 @@ func (lb *LoadBalancer) StartRequest(w http.ResponseWriter, r *http.Request) fun
 	}
 
 	if lb.writerAffinityTimeout > 0 && lb.hasReaders && !readRequest {
-		w = newLoadBalancerReponseWriter(w, lb.writerAffinityTimeout)
+		w = newLoadBalancerReponseWriter(w, lb.writerAffinityTimeout, r.TLS != nil)
 	}
 
 	lb.setTargetHeader(req, target)
@@ -302,13 +302,15 @@ type loadBalancerResponseWriter struct {
 	http.ResponseWriter
 	headerWritten         bool
 	writerAffinityTimeout time.Duration
+	secure                bool
 }
 
-func newLoadBalancerReponseWriter(w http.ResponseWriter, writerAffinityTimeout time.Duration) *loadBalancerResponseWriter {
+func newLoadBalancerReponseWriter(w http.ResponseWriter, writerAffinityTimeout time.Duration, secure bool) *loadBalancerResponseWriter {
 	return &loadBalancerResponseWriter{
 		ResponseWriter:        w,
 		headerWritten:         false,
 		writerAffinityTimeout: writerAffinityTimeout,
+		secure:                secure,
 	}
 }
 
@@ -352,6 +354,7 @@ func (w *loadBalancerResponseWriter) setWriterAffinityCookie() {
 			Value:    strconv.FormatInt(expires.UnixMilli(), 10),
 			Path:     "/",
 			HttpOnly: true,
+			Secure:   w.secure,
 			Expires:  expires.Add(time.Second),
 		}