HyphaApp · frjo · May 13, 2026 · May 13, 2026 · May 13, 2026 · May 13, 2026
diff --git a/docs/setup/administrators/configuration.md b/docs/setup/administrators/configuration.md
@@ -283,14 +283,6 @@ On Heroku, set to true if deploying to Heroku.
 
 ----
 
-Secure cookies
-
-Set this to enable Djangos settings for secure cookies.
-
-    COOKIE_SECURE = env.bool('COOKIE_SECURE', False)
-
-----
-
 Machine translation settings for applications
 
 See [here](machine-translations.md) for more information on setting up machine translations

diff --git a/docs/setup/deployment/production/stand-alone.md b/docs/setup/deployment/production/stand-alone.md
@@ -236,7 +236,6 @@ Here is a list of settings that can be set as environment variables or in a `hyp
 
 ```text
 CACHE_CONTROL_MAX_AGE:                         14400
-COOKIE_SECURE:                                 true
 DJANGO_SETTINGS_MODULE:                        hypha.settings.production
 EMAIL_HOST:                                    example.org
 ORG_EMAIL:                                     hello@example.org

diff --git a/hypha/apply/determinations/views.py b/hypha/apply/determinations/views.py
@@ -9,6 +9,7 @@
 from django.urls import reverse_lazy
 from django.utils import timezone
 from django.utils.decorators import method_decorator
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.translation import gettext as _
 from django.views.generic import CreateView, DetailView, UpdateView
 from wagtail.models import Site
@@ -261,10 +262,14 @@ def form_valid(self, form):
         return response
 
     def get_success_url(self):
-        try:
-            return self.request.GET["next"]
-        except KeyError:
-            return reverse_lazy("apply:submissions:list")
+        next_url = self.request.GET.get("next")
+        if next_url and url_has_allowed_host_and_scheme(
+            next_url,
+            allowed_hosts={self.request.get_host()},
+            require_https=self.request.is_secure(),
+        ):
+            return next_url
+        return reverse_lazy("apply:submissions:list")
 
 
 @method_decorator(staff_required, name="dispatch")

diff --git a/hypha/apply/funds/views/partials.py b/hypha/apply/funds/views/partials.py
@@ -50,6 +50,9 @@
 @login_required
 def partial_submission_lead(request, pk):
     submission = get_object_or_404(ApplicationSubmission, pk=pk)
+    has_permission(
+        "submission_view", request.user, object=submission, raise_exception=True
+    )
     return render(
         request, "submissions/partials/submission-lead.html", {"submission": submission}
     )
@@ -296,6 +299,9 @@ def partial_reviews_decisions(request: HttpRequest) -> HttpResponse:
 @login_required
 def partial_meta_terms_card(request, pk):
     submission = get_object_or_404(ApplicationSubmission, pk=pk)
+    has_permission(
+        "submission_view", request.user, object=submission, raise_exception=True
+    )
     meta_terms = submission.meta_terms.all()
     ctx = {"meta_terms": meta_terms, "submission": submission}
     return render(request, "submissions/partials/meta-terms-card.html", ctx)

diff --git a/hypha/settings/base.py b/hypha/settings/base.py
@@ -617,10 +617,6 @@
     "SECURE_REFERRER_POLICY", "strict-origin-when-cross-origin"
 )
 
-if env.bool("COOKIE_SECURE", False):
-    SESSION_COOKIE_SECURE = True
-    CSRF_COOKIE_SECURE = True
-    ELEVATE_COOKIE_SECURE = True
 
 # Django Elevate settings
 # https://django-elevate.readthedocs.io/en/latest/config/index.html

diff --git a/hypha/settings/production.py b/hypha/settings/production.py
@@ -9,6 +9,11 @@
 except ImportError:
     pass
 
+# Security settings
+SESSION_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = True
+ELEVATE_COOKIE_SECURE = True
+
 # Mailgun configuration.
 if env.str("MAILGUN_API_KEY", None):
     EMAIL_BACKEND = "anymail.backends.mailgun.EmailBackend"