added caddy

backend/Dockerfile

@@ -0,0 +1,22 @@
+# ── Build ───────────────────────────────────────────────────
+FROM rust:1-bookworm AS build
+WORKDIR /app
+
+# Cache deps: copy manifests, build a stub, then the real source.
+COPY Cargo.toml Cargo.lock ./
+RUN mkdir src && echo "fn main() {}" > src/main.rs \
+    && cargo build --release \
+    && rm -rf src
+
+COPY . .
+# Touch so cargo rebuilds with the real main.rs.
+RUN touch src/main.rs && cargo build --release
+
+# ── Runtime ─────────────────────────────────────────────────
+FROM debian:bookworm-slim AS runtime
+WORKDIR /app
+RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+COPY --from=build /app/target/release/shoplist-backend /usr/local/bin/shoplist-backend
+EXPOSE 8080
+CMD ["shoplist-backend"]

backend/src/config.rs

@@ -16,6 +16,8 @@ pub struct Config {
     pub refetch_min_age_secs: i64,
     /// Default ISO 4217 currency when an adapter can't determine one.
     pub default_currency: String,
+    /// Mark the session cookie Secure (HTTPS-only). Enable in production.
+    pub cookie_secure: bool,
 }
 
 #[derive(Clone, Debug)]
@@ -67,6 +69,12 @@ impl Config {
             refetch_interval_secs: opt("REFETCH_INTERVAL_SECS", "300").parse()?,
             refetch_min_age_secs: opt("REFETCH_MIN_AGE_SECS", "21600").parse()?,
             default_currency: opt("DEFAULT_CURRENCY", "EUR").to_uppercase(),
+            // Default Secure when the public URL is HTTPS; override with COOKIE_SECURE.
+            cookie_secure: env::var("COOKIE_SECURE")
+                .map(|v| v == "1" || v.eq_ignore_ascii_case("true"))
+                .unwrap_or_else(|_| {
+                    opt("PUBLIC_APP_URL", "http://localhost:5173").starts_with("https://")
+                }),
             smtp: SmtpConfig {
                 host: opt("SMTP_HOST", "localhost"),
                 port: opt("SMTP_PORT", "587").parse()?,

backend/src/main.rs

@@ -43,7 +43,7 @@ async fn main() -> anyhow::Result<()> {
     session_store.migrate().await?;
 
     let session_layer = SessionManagerLayer::new(session_store)
-        .with_secure(false) // set true behind HTTPS in production
+        .with_secure(config.cookie_secure) // true behind HTTPS in production
         .with_same_site(tower_sessions::cookie::SameSite::Lax)
         .with_expiry(Expiry::OnInactivity(Duration::days(30)));