From 8784aa4c2069840e3224d837c2e77adaabda1972 Mon Sep 17 00:00:00 2001
From: Bruno Carvalho <bruno.cs.soares@gmail.com>
Date: Tue, 9 Jun 2026 14:39:37 -0300
Subject: [PATCH 1/2] fix: force secure response cookies

---
 runtime/response/response.go      |  1 +
 runtime/response/response_test.go | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/runtime/response/response.go b/runtime/response/response.go
index fefed47..94784bc 100644
--- a/runtime/response/response.go
+++ b/runtime/response/response.go
@@ -167,6 +167,7 @@ func ValidationHTML(result validation.Result) string {
 func WriteHTTP(writer http.ResponseWriter, result Response) error {
 	status := statusOrDefault(result)
 	for _, cookie := range result.Cookies {
+		cookie.Secure = true
 		http.SetCookie(writer, &cookie)
 	}
 	switch result.Kind {
diff --git a/runtime/response/response_test.go b/runtime/response/response_test.go
index 21da542..4941347 100644
--- a/runtime/response/response_test.go
+++ b/runtime/response/response_test.go
@@ -141,6 +141,35 @@ func TestWriteHTTPWritesRedirect(t *testing.T) {
 	}
 }
 
+func TestWriteHTTPForcesSecureCookies(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	result := WithCookie(HTMLBody(http.StatusOK, "ok"), http.Cookie{
+		Name:     "session",
+		Value:    "abc",
+		Path:     "/",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	})
+
+	if err := WriteHTTP(recorder, result); err != nil {
+		t.Fatal(err)
+	}
+
+	cookies := recorder.Result().Cookies()
+	if len(cookies) != 1 {
+		t.Fatalf("expected one cookie, got %#v", cookies)
+	}
+	if !cookies[0].Secure {
+		t.Fatalf("expected secure cookie, got %#v", cookies[0])
+	}
+	if !cookies[0].HttpOnly || cookies[0].SameSite != http.SameSiteLaxMode || cookies[0].Path != "/" {
+		t.Fatalf("expected existing cookie attributes to be preserved, got %#v", cookies[0])
+	}
+	if result.Cookies[0].Secure {
+		t.Fatalf("WriteHTTP should not mutate response cookie input: %#v", result.Cookies[0])
+	}
+}
+
 func TestWriteNoStoreHTTP(t *testing.T) {
 	recorder := httptest.NewRecorder()
 

From c3e97c48c7d4061bae9df795d15722cbdbfe9869 Mon Sep 17 00:00:00 2001
From: Bruno <bruno.cs.soares@gmail.com>
Date: Tue, 9 Jun 2026 15:29:40 -0300
Subject: [PATCH 2/2] Ensure cookies are marked as secure in WriteHTTP

Set cookies to be secure when writing HTTP responses.
---
 runtime/response/response.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/runtime/response/response.go b/runtime/response/response.go
index 94784bc..a49c263 100644
--- a/runtime/response/response.go
+++ b/runtime/response/response.go
@@ -167,7 +167,7 @@ func ValidationHTML(result validation.Result) string {
 func WriteHTTP(writer http.ResponseWriter, result Response) error {
 	status := statusOrDefault(result)
 	for _, cookie := range result.Cookies {
-		cookie.Secure = true
+	
 		http.SetCookie(writer, &cookie)
 	}
 	switch result.Kind {