From 491bd61610e956d2d29f7b66e3a32afbdec2ba33 Mon Sep 17 00:00:00 2001
From: Eliezer Steinbock <3090527+elie222@users.noreply.github.com>
Date: Tue, 6 Jan 2026 22:26:12 +0200
Subject: [PATCH] security: add Secure attribute to cookies

---
 .../[emailAccountId]/calendars/ConnectCalendar.tsx   |  2 +-
 apps/web/app/utm.tsx                                 | 12 ++++++------
 apps/web/components/ui/sidebar.tsx                   |  2 +-
 apps/web/utils/auth-cookies.ts                       |  2 +-
 apps/web/utils/cookies.ts                            |  6 +++---
 5 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/apps/web/app/(app)/[emailAccountId]/calendars/ConnectCalendar.tsx b/apps/web/app/(app)/[emailAccountId]/calendars/ConnectCalendar.tsx
index d0ee2f0f2..4430c624c 100644
--- a/apps/web/app/(app)/[emailAccountId]/calendars/ConnectCalendar.tsx
+++ b/apps/web/app/(app)/[emailAccountId]/calendars/ConnectCalendar.tsx
@@ -22,7 +22,7 @@ export function ConnectCalendar({
 
   const setOnboardingReturnCookie = () => {
     if (onboardingReturnPath) {
-      document.cookie = `${CALENDAR_ONBOARDING_RETURN_COOKIE}=${encodeURIComponent(onboardingReturnPath)}; path=/; max-age=180`;
+      document.cookie = `${CALENDAR_ONBOARDING_RETURN_COOKIE}=${encodeURIComponent(onboardingReturnPath)}; path=/; max-age=180; SameSite=Lax; Secure`;
     }
   };
 
diff --git a/apps/web/app/utm.tsx b/apps/web/app/utm.tsx
index a848d31bd..30f842692 100644
--- a/apps/web/app/utm.tsx
+++ b/apps/web/app/utm.tsx
@@ -15,17 +15,17 @@ function setUtmCookies() {
   const expires = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toUTCString();
 
   if (utmSource)
-    document.cookie = `utm_source=${utmSource}; expires=${expires}; path=/`;
+    document.cookie = `utm_source=${utmSource}; expires=${expires}; path=/; SameSite=Lax; Secure`;
   if (utmMedium)
-    document.cookie = `utm_medium=${utmMedium}; expires=${expires}; path=/`;
+    document.cookie = `utm_medium=${utmMedium}; expires=${expires}; path=/; SameSite=Lax; Secure`;
   if (utmCampaign)
-    document.cookie = `utm_campaign=${utmCampaign}; expires=${expires}; path=/`;
+    document.cookie = `utm_campaign=${utmCampaign}; expires=${expires}; path=/; SameSite=Lax; Secure`;
   if (utmTerm)
-    document.cookie = `utm_term=${utmTerm}; expires=${expires}; path=/`;
+    document.cookie = `utm_term=${utmTerm}; expires=${expires}; path=/; SameSite=Lax; Secure`;
   if (affiliate)
-    document.cookie = `affiliate=${affiliate}; expires=${expires}; path=/`;
+    document.cookie = `affiliate=${affiliate}; expires=${expires}; path=/; SameSite=Lax; Secure`;
   if (referralCode)
-    document.cookie = `referral_code=${referralCode}; expires=${expires}; path=/`;
+    document.cookie = `referral_code=${referralCode}; expires=${expires}; path=/; SameSite=Lax; Secure`;
 }
 
 export function UTM() {
diff --git a/apps/web/components/ui/sidebar.tsx b/apps/web/components/ui/sidebar.tsx
index 01f391b70..f8c0c5e16 100644
--- a/apps/web/components/ui/sidebar.tsx
+++ b/apps/web/components/ui/sidebar.tsx
@@ -90,7 +90,7 @@ const SidebarProvider = React.forwardRef<
         // This sets the cookie to keep the sidebar state.
         // This sets the cookie to keep the sidebar state.
         sidebarNames.forEach((sidebarName) => {
-          document.cookie = `${sidebarName}:state=${openState.includes(sidebarName)}; path=/; max-age=${SIDEBAR_COOKIE_MAX_AGE}`;
+          document.cookie = `${sidebarName}:state=${openState.includes(sidebarName)}; path=/; max-age=${SIDEBAR_COOKIE_MAX_AGE}; SameSite=Lax; Secure`;
         });
       },
       [setOpenProp, open, sidebarNames],
diff --git a/apps/web/utils/auth-cookies.ts b/apps/web/utils/auth-cookies.ts
index f60e11db9..e0345e4f5 100644
--- a/apps/web/utils/auth-cookies.ts
+++ b/apps/web/utils/auth-cookies.ts
@@ -7,7 +7,7 @@ export function getAndClearAuthErrorCookie(): string | undefined {
     .join("=");
 
   if (authErrorCookie) {
-    document.cookie = "auth_error=; path=/; max-age=0";
+    document.cookie = "auth_error=; path=/; max-age=0; SameSite=Lax; Secure";
   }
 
   return authErrorCookie;
diff --git a/apps/web/utils/cookies.ts b/apps/web/utils/cookies.ts
index d7f604b57..82f5088d6 100644
--- a/apps/web/utils/cookies.ts
+++ b/apps/web/utils/cookies.ts
@@ -9,13 +9,13 @@ export type LastEmailAccountCookieValue = {
 };
 
 export function markOnboardingAsCompleted(cookie: string) {
-  document.cookie = `${cookie}=true; path=/; max-age=${Number.MAX_SAFE_INTEGER}; SameSite=Lax`;
+  document.cookie = `${cookie}=true; path=/; max-age=${Number.MAX_SAFE_INTEGER}; SameSite=Lax; Secure`;
 }
 
 export function setInvitationCookie(invitationId: string) {
-  document.cookie = `${INVITATION_COOKIE}=${invitationId}; path=/; max-age=${7 * 24 * 60 * 60}; SameSite=Lax`;
+  document.cookie = `${INVITATION_COOKIE}=${invitationId}; path=/; max-age=${7 * 24 * 60 * 60}; SameSite=Lax; Secure`;
 }
 
 export function clearInvitationCookie() {
-  document.cookie = `${INVITATION_COOKIE}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Lax`;
+  document.cookie = `${INVITATION_COOKIE}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Lax; Secure`;
 }