Secure Flag cannot be set for unproxied localhost

Browsers consider localhost to be a secure origin (i.e. see https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies).

express-session does not. This means for my local configuration, I need to disable the Secure flag, which has other repercussions:

• I cannot set the Cookie Name to __Host-sid and need to make a special-case development exception
• I cannot use CORS Requests to localhost with Cookies, since non-secure Cookies aren’t sent, even with SameSite=none

I understand that this is the result of express-session trying to be smart and trying to prevent sending cookies over insecure connections.

The code causing this is in index.js:

if (req.session.cookie.secure && !issecure(req, trustProxy)) {

I don’t think that issecure can reliably detect if the connection attempt is secure or not for the localhost case.

I see two possible solutions:

• Allow disabling the issecure check and unconditionally set the cookie (this is what I actually want, because otherwise it just silently fails)
• Potentially inspect the origin-header for localhost as a heuristic, this (should?) remain unchanged through proxies too