Pre-public hardening: secure cookies in production, widen .gitignore#3
Conversation
- Session cookie gets secure: true (with trust proxy) under NODE_ENV=production instead of relying on a comment telling the reader to flip it - Ignore all .env* variants except .env.example so adapted clones can't accidentally commit .env.local / .env.production
|
Thanks @greptile-apps — 5/5, no changes needed. One clarification for future readers: the cookie is set with |
|
Noted, thanks for the clarification. The conditional behavior is exactly right for a demo that runs over plain HTTP locally — unconditional |
The two "recommended" findings from the pre-public audit:
Session cookie
secureflag — previously a comment told readers to enablecookie.secureandtrust proxyonce serving HTTPS. Since example code gets copied verbatim and that comment is easy to miss, the code now does it:secure: NODE_ENV === 'production'plusapp.set('trust proxy', 1)in production. Dev behavior over plain HTTP is unchanged..gitignorewidening — only the literal.envwas ignored, so a clone using.env.localor.env.production(both conventional) could silently commit real keys. Now.env*is ignored with a!.env.examplenegation.Verified: lint / format / typecheck green; app booted and served in both dev and
NODE_ENV=production;git check-ignoreconfirms.env,.env.local,.env.productionignored and.env.examplenot.Devin shepherd: https://app.devin.ai/sessions/5cea8ddb44784c8596bedfa2670129a7