DigitalOcean

Report this

What is the reason for this report?
Question

Application Platform Secure cookie

Posted on February 10, 2024
Security
DigitalOcean App Platform
dimitry_lzs

By dimitry_lzs

Hi, as I was setting up my backend for production, I figured out that after setting cookie flag to Secure: true, it would not send it to front end probably due to insecure connection between frontend and backend components in local network of application platform. What is the correct way to set secure connection between frontend and backend components so secure cookie will work correctly?



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Bobby Iliev
Bobby Iliev
February 11, 2024

Accepted Answer

Hello Dimitry,

It’s great to see you focusing on the security aspects of your application, especially concerning secure cookies. You’ve touched on an important point regarding how frontend and backend components communicate in a cloud environment like the DigitalOcean App Platform.

On the DigitalOcean App Platform, HTTPS is enabled by default for all applications, and there isn’t an option to disable HTTPS. This means all external traffic to your application components, including both frontend and backend, is secured using HTTPS.

Also, to clarify the nature of the interaction between the frontend and backend in this context. The frontend code (HTML, JavaScript, CSS, etc.) runs in the client’s browser and makes requests to the backend over the internet. This communication does happen over HTTPS by default when your services are exposed to the internet. Therefore, secure cookies should work correctly as long as the browser can establish a secure HTTPS connection to the backend service.

The communication between the frontend and the backend service would not go over the internal network, here is a quick diagram to showcase how this would usually work:

Internet Users
       ||
       \/
[User's Browser] --- HTTPS Request ----> [DigitalOcean App Platform]
       |                                       |
       | (1) Fetch Frontend over HTTPS         |
       |                                       |
       |                                       |
       | (2) Frontend (HTML, JS, CSS) loaded   |
       |                                       |
       |                                       |
       | (3) Browser executes JS and makes     |
             HTTPS request to Backend          |
       |                                       |
       |                                       |
       |                                       |
       \---<-----------------------------[Frontend Service]
                                           /       \
                                          /         \
                                         /           \
                                        /             \
                           HTTPS Request              HTTPS Request
                                  /                          \
                                 /                            \
                                /                              \
                               \/                              \/
                       [Backend Service]                [Other Services]
                      (APIs, Databases, etc.)         (e.g., Authentication)

Here is also what you could consider:

  1. Since the App Platform automatically secures connections with HTTPS, make sure your frontend code references the backend service using the HTTPS protocol. This is typically straightforward but do verify that any URLs to backend services in your frontend code start with https://.

  2. When you set cookies with the Secure attribute from your backend, ensure that the domain and path set for the cookies correctly match the requests being made from the frontend. Mismatches here could prevent cookies from being sent correctly.

  3. If your frontend and backend are under different domains or subdomains, ensure your CORS policy on the backend is configured to allow requests from your frontend domain. This is essential for secure, cross-domain requests and for cookies to be sent and received correctly.

Given the secure, HTTPS-enabled environment on the DigitalOcean App Platform, the issue with secure cookies not being sent is likely related to the configuration on the client-side or specific settings in your backend service. Double-check your service configurations, cookie attributes, and how your frontend code makes requests to your backend to ensure compatibility with secure cookie transmission.

If you encounter specific issues or need further assistance, feel free to share more details here!

Best of luck with your application deployment!

Best,

Bobby

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.