rewrite module and secure cookies

[5im-0n]

When rewriting happens with an https destination, like in ws --rewrite '/:user/repos/:name -> https://api.github.com/repos/:user/:name', cookies set by the destination are usually set with the secure flag, but since lws listens on http, this cookie gets lost.
lws should strip the secure flag from the cookie, so cookies set from an https origin get set correctly.

[75lb]

Hi, thanks for the feature - do you think it should be on by default?

[5im-0n]

Yes I think so. Since lws is "A lean, modular web server for rapid full-stack development." I think it should be on in the default use case, that is, development.

[75lb]

yeah, i agree.. the only concern is that making this behaviour the default could surprise existing users accustomed to the previous behaviour.. It's a breaking change, unless people consider it a bug fix and not feature addition..

[5im-0n]

True. But I think that since it did not work before, nobody used lws this way, so there should be no breaking changes for anyone.

[75lb]

Released in lws-rewrite v2.1.0. Reinstall local-web-server to pick up the change.

On insecure connections (plain HTTP), stripping the secure attribute from remote, rewrite-target cookies is now the default behaviour. Set the --rewrite.keep-secure-attr to disable this.