Hi guys,

I am a user of BlitzJS which uses cookie-session but no actual Express. And I use it behind Nginx SSL proxy.

In order to use cookie-session behind SSL proxy ExpressJS trust proxy feature should be set however for BlitzJS or NextJS frameworks that use cookies-session for authorization there is no trust proxy.

We discussed the problem with BlitzJS author here and came to the conclusion that forcing secure in cookies constructor (not when setting a cookie, but pass to new Cookies as an option) is a way to go in full accordance to the cookies package author recommendations for the case when SSL is not controlled by NodeJS https://github.com/pillarjs/cookies/blob/master/index.js#L102 https://www.npmjs.com/package/@xyezir/cookies#cookiesset-name--value---options--

I made a PR that adds secureProxy option which is crucial for BlitzJS/NextJS users who use cookie-session and want to run an app behind SSL proxy.

Please suggest if this is the best approach to the problem or you see a better one.

Hi @PixelsCommander ! To start out with, this is an ExpressJS middleware, made for ExpressJS :) It is even one of the "official" modules within our organization -- this is to state that, though you may be able to use it with other frameworks, that is sort of a "buyer beware" situation, as it is made for, designed for, and tested for use with ExpressJS.

That context aside, a framework does not need to implement a "trust proxy" setting, it simply needs to indicate if the request is secure or not, by having req.protocol === 'https' (see https://github.com/pillarjs/cookies#secure-cookies).