Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

MSAL Auth: Cookie Secure

The cookieSecure property maps to the Secure attribute on the Set-Cookie headers generated by the gateway.

Configuration Options

cookieSecure: false

or

cookieSecure: true

Usage

When cookieSecure is set to true, the browser will only transmit the cookie over a secure, encrypted connection (HTTPS). It will flatly refuse to send the cookie over plain HTTP.

  • Development: You typically set this to false when developing locally over http://localhost.
  • Production: You must set this to true in production to prevent cookies from being intercepted by network eavesdroppers.
  • SameSite Dependency: If you configure cookieSameSite: None (which allows cross-origin requests), modern browsers require cookieSecure to be true. If cookieSameSite: None is paired with cookieSecure: false, browsers like Chrome and Edge will reject the cookie outright.