Due to the changes to browsers' (including Chromium and Firefox), CSRF and CORS misconfiguration exercises won't work correctly down the road if the vulnerable targets aren't served through TLS.

This relates to the sameSite cookie. The default behavior is switching from None to Lax, which means cookies will only be included first-party context, top-level nav, and other GET requests. This can still have some exploits (and would be worth having exercises for), but most of our examples would break. For now, we can set sameSite=None to revert them to classic behavior. However that's a very temporary fix, as the browsers are going to mandate the secure flag if you want them to respect sameSite=None. The correct solution is probably to generate a CA cert during installation, trust it, and use it to sign certs for the various Nginx reverse proxies.