Skip to content

Comments

Fixed http error#96

Merged
jm1021 merged 1 commit intoOpen-Coding-Society:masterfrom
AP-CSP-1:master
Feb 24, 2026
Merged

Fixed http error#96
jm1021 merged 1 commit intoOpen-Coding-Society:masterfrom
AP-CSP-1:master

Conversation

@Ahaanv19
Copy link
Contributor

@Ahaanv19 Ahaanv19 commented Feb 23, 2026

Problem

The deployed frontend at https://pages.opencodingsociety.com was getting Mixed Content errors when calling the Spring backend at https://spring.opencodingsociety.com.

Root Cause

Commit 2e98f9f ("fix login security issues - cookie switching across platforms") introduced request.isSecure() checks to determine cookie flags. Behind the Nginx reverse proxy, the connection from Nginx → Spring is plain HTTP (proxy_pass http://localhost:8587), so request.isSecure() always returns false.

This caused:

  • Secure=false on JWT cookies → browsers reject them over HTTPS cross-origin
  • SameSite=Lax instead of None → blocks cross-origin cookie sending from pages.opencodingsociety.com
  • Spring generates http:// redirect URLs → browser blocks as Mixed Content

Error seen in browser console

Mixed Content: The page at 'https://pages.opencodingsociety.com/student/calendar'
was loaded over HTTPS, but requested an insecure resource
'http://spring.opencodingsociety.com/login'. This request has been blocked.

Fix

1. Use config values directly instead of request.isSecure() (Java)

Files: JwtApiController.java, MvcSecurityConfig.java

Replaced all occurrences of:

boolean secureFlag = cookieSecure && request.isSecure();
String sameSite = secureFlag ? cookieSameSite : "Lax";

With direct use of config values:

.secure(cookieSecure)
.sameSite(cookieSameSite)

Cookie flags are now driven entirely by application.properties:

  • Production: jwt.cookie.secure=true, jwt.cookie.same-site=None (already set)
  • Local dev: Override via .env with jwt.cookie.secure=false, jwt.cookie.same-site=Lax

2. Trust forwarded headers from Nginx (application.properties)

Added:

server.forward-headers-strategy=framework

This tells Spring to read X-Forwarded-Proto, X-Forwarded-Host, etc. from the reverse proxy, so redirect URLs are generated with https://.

3. Forward HTTPS headers in Nginx (nginx_file)

Added:

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;

Files Changed

File Change
src/main/java/com/open/spring/security/JwtApiController.java Remove request.isSecure() from /authenticate and /api/logout cookie builders
src/main/java/com/open/spring/security/MvcSecurityConfig.java Remove request.isSecure() from login success handler and logout handler cookie builders
src/main/resources/application.properties Add server.forward-headers-strategy=framework
nginx_file Add X-Forwarded-Proto/Host/Port/For proxy headers

Deployment Steps

  1. Merge this PR
  2. Rebuild and restart the Spring server
  3. Update Nginx config on the server and run sudo nginx -s reload

@jm1021 jm1021 merged commit 4c2c686 into Open-Coding-Society:master Feb 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Ahaanv19 @jm1021