Cookie security only if https is set in the config.

web/config.py

@@ -6,11 +6,6 @@ import logging
 class Config:
     ''' ### Flask ### '''
     SECRET_KEY = os.environ.get('SECRET_KEY') or 'hard to guess string'
-    SESSION_COOKIE_SECURE = True
-
-    ''' ### Flask-Login ### '''
-    REMEMBER_COOKIE_HTTPONLY = True
-    REMEMBER_COOKIE_SECURE = True
 
     ''' ### Flask-Mail ### '''
     MAIL_SERVER = os.environ.get('MAIL_SERVER')
@@ -32,6 +27,7 @@ class Config:
     NOPAQUE_CONTACT = os.environ.get('NOPAQUE_CONTACT')
     NOPAQUE_MAIL_SENDER = os.environ.get('NOPAQUE_MAIL_SENDER')
     NOPAQUE_MAIL_SUBJECT_PREFIX = '[nopaque]'
+    NOPAQUE_PROTOCOL = os.environ.get('NOPAQUE_PROTOCOL')
     NOPAQUE_STORAGE = os.environ.get('NOPAQUE_STORAGE')
 
     os.makedirs('logs', exist_ok=True)
@@ -41,6 +37,15 @@ class Config:
                                '%(message)s',
                         datefmt='%Y-%m-%d %H:%M:%S', filemode='w')
 
+    ''' ### Security enhancements ### '''
+    if NOPAQUE_PROTOCOL == 'https':
+        ''' ### Flask ### '''
+        SESSION_COOKIE_SECURE = True
+
+        ''' ### Flask-Login ### '''
+        REMEMBER_COOKIE_HTTPONLY = True
+        REMEMBER_COOKIE_SECURE = True
+
     @staticmethod
     def init_app(app):
         proxy_fix_kwargs = {