Cookies must be set with the Secure flag in HTTPS mode

[hardware]

All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information. Session cookies sent from secure sites must be explicitly marked as secure to prevent being obtained by active network attackers.

BookStack/config/session.php

Lines 140 to 151 in b0d027a

	/*
	|--------------------------------------------------------------------------
	| HTTPS Only Cookies
	|--------------------------------------------------------------------------
	|
	| By setting this option to true, session cookies will only be sent back
	| to the server if the browser has a HTTPS connection. This will keep
	| the cookie from being sent to you if it can not be done securely.
	|
	*/
	'secure' => false,

In HTTPS mode, all cookies must be set with the Secure flag, indicating that they should only be sent over an encrypted channel.

Can you add this parameter to the .env file to permit administrators to change the value ? Like this :

# .env

SESSION_COOKIE_SECURE=true

Hardenize report for demo.bookstackapp.com :

https://www.hardenize.com/report/demo.bookstackapp.com/1525132852#www_cookies

I use this workaround in my nginx virtual host until you make this change :

# Bookstack.conf

proxy_cookie_path / "/; Secure";

http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path

[ssddanbrown]

Thanks @hardware for opening this issue.
I agree this would be good to have as a configurable option. Have marked to be in the next release.

[ssddanbrown]

Now implemented, Will be in the next release.