From 6ec92a19fd384610c326992a3196a081df3e5b9a Mon Sep 17 00:00:00 2001
From: samsepi0l <contact@samsepi0l.dev>
Date: Thu, 14 Dec 2023 14:51:48 +0100
Subject: [PATCH 1/4] Secure cookies

The cookies are not secure by default with heimdall, we can force it through nginx.
---
 heimdall.subdomain.conf.sample | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/heimdall.subdomain.conf.sample b/heimdall.subdomain.conf.sample
index 8e18aa8..71a2d69 100644
--- a/heimdall.subdomain.conf.sample
+++ b/heimdall.subdomain.conf.sample
@@ -35,6 +35,8 @@ server {
         # enable for Authentik (requires authentik-server.conf in the server block)
         #include /config/nginx/authentik-location.conf;
 
+        proxy_cookie_path / "/; Secure; SameSite=strict; HttpOnly";
+        
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
         set $upstream_app heimdall;

From 1f56b97b892d889a8f89741ce3effd98b89ed348 Mon Sep 17 00:00:00 2001
From: samsepi0l <contact@samsepi0l.dev>
Date: Fri, 15 Dec 2023 22:21:16 +0100
Subject: [PATCH 2/4] Update heimdall.subdomain.conf.sample

---
 heimdall.subdomain.conf.sample | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/heimdall.subdomain.conf.sample b/heimdall.subdomain.conf.sample
index 71a2d69..9a716e5 100644
--- a/heimdall.subdomain.conf.sample
+++ b/heimdall.subdomain.conf.sample
@@ -34,8 +34,6 @@ server {
 
         # enable for Authentik (requires authentik-server.conf in the server block)
         #include /config/nginx/authentik-location.conf;
-
-        proxy_cookie_path / "/; Secure; SameSite=strict; HttpOnly";
         
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
@@ -43,6 +41,7 @@ server {
         set $upstream_port 443;
         set $upstream_proto https;
         proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+        #proxy_cookie_path / "/; Secure; SameSite=strict; HttpOnly";
 
     }
 }

From 09fd8849ea2783105c3d54e7547d3530a7a132c0 Mon Sep 17 00:00:00 2001
From: samsepi0l <contact@samsepi0l.dev>
Date: Fri, 15 Dec 2023 22:26:05 +0100
Subject: [PATCH 3/4] Add description

---
 heimdall.subdomain.conf.sample | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/heimdall.subdomain.conf.sample b/heimdall.subdomain.conf.sample
index 9a716e5..d08beca 100644
--- a/heimdall.subdomain.conf.sample
+++ b/heimdall.subdomain.conf.sample
@@ -41,6 +41,8 @@ server {
         set $upstream_port 443;
         set $upstream_proto https;
         proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+
+        # Enable to secure cookies. Further reading here -> https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
         #proxy_cookie_path / "/; Secure; SameSite=strict; HttpOnly";
 
     }

From f66e17edeca49cebec71e38cb89a4cf93932117f Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Wed, 20 Dec 2023 09:27:47 -0600
Subject: [PATCH 4/4] Update heimdall.subdomain.conf.sample

---
 heimdall.subdomain.conf.sample | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/heimdall.subdomain.conf.sample b/heimdall.subdomain.conf.sample
index d08beca..a77de5b 100644
--- a/heimdall.subdomain.conf.sample
+++ b/heimdall.subdomain.conf.sample
@@ -34,7 +34,7 @@ server {
 
         # enable for Authentik (requires authentik-server.conf in the server block)
         #include /config/nginx/authentik-location.conf;
-        
+
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
         set $upstream_app heimdall;