From 8b1a5f8ad6f7838cb2398b71bbad938ea05b047d Mon Sep 17 00:00:00 2001
From: Zachary Lee <zacharygowlee@gmail.com>
Date: Tue, 17 Oct 2023 12:07:06 -0400
Subject: [PATCH] first pass imp

---
 changelog.md                   | 3 +++
 frontend/lib/src/util/utils.ts | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/changelog.md b/changelog.md
index b2d36e9ac122..4e9d6809653d 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,8 @@
 # Tagup Changelog
 
+## 2023-10-17
+Added the `Secure;` flag to all `Set-Cookie` headers streamlit sends. This is to remediate possible vulnerabilities that our pentesters flagged. The `Secure;` flag makes it so the browser will only pass the set cookie over https.
+
 ## 2023-06-22
 - Removed the use of the `expressionInterpreter` when rendering Vega Lite charts. Using this renderer exposes a bug where a specified x-domain results in charts not rendering correctly. See these threads for more details: https://discuss.streamlit.io/t/time-axis-with-custom-scale/33524 https://github.com/vega/vega/issues/3632
 - Pinned `wheel` to 0.40.0 to fix a build error
diff --git a/frontend/lib/src/util/utils.ts b/frontend/lib/src/util/utils.ts
index 41d2983bfd8a..8722cf16ba1a 100644
--- a/frontend/lib/src/util/utils.ts
+++ b/frontend/lib/src/util/utils.ts
@@ -282,7 +282,7 @@ export function setCookie(
 ): void {
   const expirationDate = value ? expiration : new Date()
   const expirationStr: string = expirationDate
-    ? `expires=${expirationDate.toUTCString()};`
+    ? `expires=${expirationDate.toUTCString()}; Secure;`
     : ""
   document.cookie = `${name}=${value};${expirationStr}path=/`
 }