I'm using koa-session for a login service and found a problem when login from http://localhost.

Front-end app using http-proxy with the config like this

{
    "/api", {
      target: "https://test.com",
      changeOrigin: true
    }
}

so when the app is running at localhost:3000, it can sent ajax request to https://test.com
but the problem is when login service send the response header with the set-cookie, the cookie has the secure option (I think probably detect that request is from https because the changeOrigin is set to true). And since i'm using http://localhost, the cookie is not saved (or send), so login is failed.

Currently I manually set secure: false in the config, is there a better way of fixing this?

Yes, you can use secure: false, however you would need to change that on production. It's better to set up nginx to redirect traffic to your app so you work with https. Also you'll want to use a FQDN to avoid issues with cookies and CORS on development (like myapp.test), so just adding your test domain to /etc/hosts pointing to 127.0.0.1 or ::1 should do it.