secure: false does not remove cookies secure -flag

[villesau]

Expected behavior

when secure: false, cookies secure flag should be automatically removed

Actual behavior

secure flag is not removed

Setup

• http-proxy-middleware: 0.17.4
• other relevant modules: webpack-dev-server

proxy middleware configuration

  proxy: {
    '/': {
      target: 'https://mydomain.com',
      secure: false,
      changeOrigin: true,
      hostRewrite: true,
      autoRewrite: true,
      xfwd: true,
      cookieDomainRewrite: '',
    }
  }

There is a workaround for this by removing the secure flag manually like

  proxy: {
    '/': {
      target: 'https://mydomain.com',
      secure: false,
      changeOrigin: true,
      hostRewrite: true,
      autoRewrite: true,
      xfwd: true,
      cookieDomainRewrite: '',
      onProxyRes: proxyResponse => {
        if (proxyResponse.headers['set-cookie']) {
          const cookies = proxyResponse.headers['set-cookie'].map(cookie =>
            cookie.replace(/; secure/gi, '')
          );
          proxyResponse.headers['set-cookie'] = cookies;
        }
      }
    }
  },

but it takes time to figure out that the flag should be removed, and I expected secure:false to setup all this kind of stuff for me.

[chimurai]

The secure option comes from the http-proxy libary.

Option doesn't apply to cookies, only the secure connection:

secure: true/false, if you want to verify the SSL Certs

There is a feature request on their issue tracker for this: http-party/node-http-proxy#1165

[chimurai]

Issue has gone stale; Closing issue.
Feel free to re-open.

[longbo666]

thanks! your workaround helps me a lot

[guilala]

Thanks @villesau . This is still a valid issue. I need this work around to proxy from http to https using a common react-create-app configuration. Can you please reopen this issue?

[villesau]

Unfortunately I'm not able to reopen this. It needs to be done by some maintainer, maybe @chimurai ? Although the base issue is in the other library..

[chimurai]

Don't think it's wise to modify the behaviour of secure, which is a configuration option of the http-proxy library.

There is a thread for this issue: http-party/node-http-proxy#1165

imho, the ecosystem would benefit more if it is solved there.

I'm open for suggestions.

[devinrhode2]

In my opinion... when I set changeOrigin: true, and I'm going from http://localhost:3000 to https://qa.api.com, it should just work..

But I had to dive deep into the http headers and eventually figured out the cookies weren't being set - then I dived deep into cookies and figured it's because the cookies have this secure; flag.

So it's really an implementation detail - maybe there could be an option for patching the cookies - but I'm not sure what to call it - ohBTW_patch_cookies: true - it's really just a messy thing that has to do with http/cookies that developers shouldn't have to think about/be exposed to.

At the end of the day I guess it's as easy as just copy pasting these few lines to remove the secure flag: http-party/node-http-proxy#1165 (comment)

[almothafar]

For me, I'm using angular CLI with the proxy options, so the config is a JSON file in the project, providing the workaround function is not doable for me 😔

Edit: Well, I converted my config to js instead of JSON and that worked 🥳