From adf65ae56d1341874322bf59063abff23522ad0d Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 26 Mar 2026 06:26:35 +0000
Subject: [PATCH] [fix](trx-frontend-http): warn when auth enabled but
 cookie_secure is false

Log a startup warning when HTTP auth is active but cookie_secure remains
false, alerting operators that session cookies will be sent unencrypted.

https://claude.ai/code/session_01XzurkeuUmamBuhQwxVy7T4
Signed-off-by: Claude <noreply@anthropic.com>
---
 .../trx-frontend/trx-frontend-http/src/server.rs     | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/trx-client/trx-frontend/trx-frontend-http/src/server.rs b/src/trx-client/trx-frontend/trx-frontend-http/src/server.rs
index c75b623..2d21447 100644
--- a/src/trx-client/trx-frontend/trx-frontend-http/src/server.rs
+++ b/src/trx-client/trx-frontend/trx-frontend-http/src/server.rs
@@ -32,7 +32,7 @@ use actix_web::{
 use tokio::signal;
 use tokio::sync::{broadcast, mpsc, watch};
 use tokio::task::JoinHandle;
-use tracing::{error, info};
+use tracing::{error, info, warn};
 
 use trx_core::RigRequest;
 use trx_core::RigState;
@@ -208,6 +208,16 @@ fn build_server(
         same_site,
     );
 
+    // Warn operators if auth is enabled but cookie_secure is false,
+    // which means session cookies will be sent over plain HTTP.
+    if auth_config.enabled && !auth_config.cookie_secure {
+        warn!(
+            "HTTP auth is enabled but cookie_secure is false — \
+             session cookies will be sent over unencrypted connections. \
+             Set cookie_secure = true when behind a TLS-terminating proxy."
+        );
+    }
+
     let context_data = web::Data::new(context);
     let auth_state = web::Data::new(AuthState::new(auth_config.clone()));