added caddy

backend/src/config.rs

@@ -16,6 +16,8 @@ pub struct Config {
     pub refetch_min_age_secs: i64,
     /// Default ISO 4217 currency when an adapter can't determine one.
     pub default_currency: String,
+    /// Mark the session cookie Secure (HTTPS-only). Enable in production.
+    pub cookie_secure: bool,
 }
 
 #[derive(Clone, Debug)]
@@ -67,6 +69,12 @@ impl Config {
             refetch_interval_secs: opt("REFETCH_INTERVAL_SECS", "300").parse()?,
             refetch_min_age_secs: opt("REFETCH_MIN_AGE_SECS", "21600").parse()?,
             default_currency: opt("DEFAULT_CURRENCY", "EUR").to_uppercase(),
+            // Default Secure when the public URL is HTTPS; override with COOKIE_SECURE.
+            cookie_secure: env::var("COOKIE_SECURE")
+                .map(|v| v == "1" || v.eq_ignore_ascii_case("true"))
+                .unwrap_or_else(|_| {
+                    opt("PUBLIC_APP_URL", "http://localhost:5173").starts_with("https://")
+                }),
             smtp: SmtpConfig {
                 host: opt("SMTP_HOST", "localhost"),
                 port: opt("SMTP_PORT", "587").parse()?,

backend/src/main.rs

@@ -43,7 +43,7 @@ async fn main() -> anyhow::Result<()> {
     session_store.migrate().await?;
 
     let session_layer = SessionManagerLayer::new(session_store)
-        .with_secure(false) // set true behind HTTPS in production
+        .with_secure(config.cookie_secure) // true behind HTTPS in production
         .with_same_site(tower_sessions::cookie::SameSite::Lax)
         .with_expiry(Expiry::OnInactivity(Duration::days(30)));