Making Immich cookies use the Secure attribute

[AtmosphericIgnition]

Hi,

is it possible to make the cookies Immich produces use the Secure attribute? My Immich instance is behind an NGINX reverse proxy with HTTPS, and I would like to make sure the session cookies can never be transmitted as plaintext.

Thank you.

[ThierryIT]

I would be interested too.

[bo0tzz]

I don't think we can tell serverside whether HTTPS is enabled, so I'd suggest you use proxy_cookie_flags instead.

[AtmosphericIgnition]

I'll definitely check out proxy_cookie_flags. There is a way for Immich to detect that it's behind an HTTPS proxy. That could be done by having the reverse proxy send something like proxy_set_header X-Forwarded-Proto $scheme;. Other self-hosted projects that use this proxy header for this purpose.

Another option could be to make this behavior be controlled through an Immich environment variable.

I also make sure to send an effective HSTS header with all the server responses add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

[AtmosphericIgnition]

These three directives seem to do the job for my setup. I don't know if there are any other cookies Immich uses that might need to be modified.

proxy_cookie_flags immich_access_token secure samesite=strict;
proxy_cookie_flags immich_auth_type secure samesite=strict;
proxy_cookie_flags immich_is_authenticated secure samesite=strict;

[AtmosphericIgnition]

Alternatively, all cookies (even ones added in the future) can be transformed like this:

proxy_cookie_flags ~ secure samesite=strict;