From dc12db309f223b593112cc6987e58c2dda55efb8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ti=E1=BA=BFn=20Nguy=E1=BB=85n=20Kh=E1=BA=AFc?=
 <tien.nguyenkhac@icloud.com>
Date: Wed, 21 Feb 2024 10:17:34 +1300
Subject: [PATCH] fix: secure isn't set on localhost when samesite is present

`Secure` attribute must always be set when `SameSite` attribute is present, else the cookie would be invalid.
---
 set-cookie.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/set-cookie.ts b/set-cookie.ts
index f4f2595..1d2cc13 100644
--- a/set-cookie.ts
+++ b/set-cookie.ts
@@ -84,8 +84,8 @@ export function setCookie(
     attrs.push(['Path', path]);
   }
 
-  // Always secure, except for localhost
-  if (origin && origin.hostname !== 'localhost')
+  // Always secure when isn't localhost or samesite is set
+  if (origin?.hostname !== 'localhost' || sameSite !== undefined)
     attrs.push(['Secure']);
 
   if (opts.httpOnly)