From fe115199251c1bb6fcf63c5294bdfe199dda8189 Mon Sep 17 00:00:00 2001
From: Mitchell R <root@mitchellr.info>
Date: Sun, 10 May 2026 02:57:31 +0200
Subject: [PATCH] fix: drop Secure cookie flag for non-TLS dev access

---
 server/src/plugins/service-admin-http/html-response.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/src/plugins/service-admin-http/html-response.ts b/server/src/plugins/service-admin-http/html-response.ts
index 116aad5..5f92b7b 100644
--- a/server/src/plugins/service-admin-http/html-response.ts
+++ b/server/src/plugins/service-admin-http/html-response.ts
@@ -25,7 +25,7 @@ export function redirectWithCookie(
   if (cookie) {
     headers.set(
       "set-cookie",
-      `${cookie.name}=${cookie.value}; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=${cookie.maxAge}`,
+      `${cookie.name}=${cookie.value}; Path=/; HttpOnly; SameSite=Lax; Max-Age=${cookie.maxAge}`,
     );
   }
   return new Response(null, { status, headers });
@@ -37,7 +37,7 @@ export function redirectClearCookie(location: string, cookieName: string): Respo
     status: 302,
     headers: {
       location,
-      "set-cookie": `${cookieName}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`,
+      "set-cookie": `${cookieName}=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`,
     },
   });
 }