From a3b00ae201a6c32ec82e0fd3712e755da5cc460c Mon Sep 17 00:00:00 2001 From: Maksim Nabokikh Date: Fri, 13 Mar 2026 21:48:02 +0100 Subject: [PATCH] Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Maksim Nabokikh --- docs/enhancements/auth-sessions-2026-02-18.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/enhancements/auth-sessions-2026-02-18.md b/docs/enhancements/auth-sessions-2026-02-18.md index 97dc8bf4..7b01e371 100644 --- a/docs/enhancements/auth-sessions-2026-02-18.md +++ b/docs/enhancements/auth-sessions-2026-02-18.md @@ -1,4 +1,4 @@ -# Dex Enhancement Proposal (DEP) - 2026-02-18 - Auth Sessions +# Dex Enhancement Proposal (DEP 4560) - 2026-02-18 - Auth Sessions ## Table of Contents @@ -168,7 +168,7 @@ staticClients: **Cookie Security**: The session cookie is always set with secure defaults: - `HttpOnly: true` - Not accessible via JavaScript -- `Secure: true` - Only sent over HTTPS (automatically disabled for localhost in dev) +- `Secure: (issuerURL.Scheme == "https")` - Only sent over HTTPS; for `http` (commonly used on localhost in dev) this is disabled - `SameSite: Lax` - CSRF protection - `Path: ` - Derived from issuer URL (e.g., `/dex` for `https://example.com/dex`)