Insecure CSRF Cookie #11760
Description
Describe the bug
The authentik_csrf cookie is missing the secure flag.
To Reproduce
Steps to reproduce the behavior:
- Curl against authentik
$ curl https://authentik.example.il/if/flow/default-authentication/ -v
...
< set-cookie: authentik_csrf=<Redacted>; expires=Thu, 02 Oct 2025 21:34:48 GMT; Max-Age=31449600; Path=/; SameSite=Lax
< x-powered-by: authentikExpected behavior
All cookies should have the secure flag.
The authentik_session has the flag.
Screenshots
If applicable, add screenshots to help explain your problem.
Logs
Output of docker-compose logs or kubectl logs respectively
Version and Deployment (E.g complete the following information):
- authentik version: 2024.8.3
- Deployment: docker-compose
Additional context
Got a warning about this on HTTP Observatory