Application Platform Secure cookie

Hi, as I was setting up my backend for production, I figured out that after setting cookie flag to Secure: true, it would not send it to front end probably due to insecure connection between frontend and backend components in local network of application platform. What is the correct way to set secure connection between frontend and backend components so secure cookie will work correctly?

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
February 11, 2024
Accepted Answer

Hello Dimitry,

It’s great to see you focusing on the security aspects of your application, especially concerning secure cookies. You’ve touched on an important point regarding how frontend and backend components communicate in a cloud environment like the DigitalOcean App Platform.

On the DigitalOcean App Platform, HTTPS is enabled by default for all applications, and there isn’t an option to disable HTTPS. This means all external traffic to your application components, including both frontend and backend, is secured using HTTPS.

Also, to clarify the nature of the interaction between the frontend and backend in this context. The frontend code (HTML, JavaScript, CSS, etc.) runs in the client’s browser and makes requests to the backend over the internet. This communication does happen over HTTPS by default when your services are exposed to the internet. Therefore, secure cookies should work correctly as long as the browser can establish a secure HTTPS connection to the backend service.

The communication between the frontend and the backend service would not go over the internal network, here is a quick diagram to showcase how this would usually work:

Internet Users
[User's Browser] --- HTTPS Request ----> [DigitalOcean App Platform]
       |                                       |
       | (1) Fetch Frontend over HTTPS         |
       |                                       |
       |                                       |
       | (2) Frontend (HTML, JS, CSS) loaded   |
       |                                       |
       |                                       |
       | (3) Browser executes JS and makes     |
             HTTPS request to Backend          |
       |                                       |
       |                                       |
       |                                       |
       \---<-----------------------------[Frontend Service]
                                           /       \
                                          /         \
                                         /           \
                                        /             \
                           HTTPS Request              HTTPS Request
                                  /                          \
                                 /                            \
                                /                              \
                               \/                              \/
                       [Backend Service]                [Other Services]
                      (APIs, Databases, etc.)         (e.g., Authentication)

Here is also what you could consider:

  1. Since the App Platform automatically secures connections with HTTPS, make sure your frontend code references the backend service using the HTTPS protocol. This is typically straightforward but do verify that any URLs to backend services in your frontend code start with https://.

  2. When you set cookies with the Secure attribute from your backend, ensure that the domain and path set for the cookies correctly match the requests being made from the frontend. Mismatches here could prevent cookies from being sent correctly.

  3. If your frontend and backend are under different domains or subdomains, ensure your CORS policy on the backend is configured to allow requests from your frontend domain. This is essential for secure, cross-domain requests and for cookies to be sent and received correctly.

Given the secure, HTTPS-enabled environment on the DigitalOcean App Platform, the issue with secure cookies not being sent is likely related to the configuration on the client-side or specific settings in your backend service. Double-check your service configurations, cookie attributes, and how your frontend code makes requests to your backend to ensure compatibility with secure cookie transmission.

If you encounter specific issues or need further assistance, feel free to share more details here!

Best of luck with your application deployment!



Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel