A modern programming language that makes developers happier.

kotlinlang

Hey all! Before I go and file a ticket, I wanted to check if there is a reason why ktor forces the connection to your sever to be https in order to use the HSTS plugin or Secure flag on Cookies?

My server runs behind a reverse proxy and the connection between the proxy and my server is http. However, I still would like to use both these things as they still provide the same value in this configuration as they would if browser clients connected directly to my server.

<https://github.com/ktorio/ktor/blob/d424afeaa3f64f2c0745df15661808c85af8f1f1/ktor-server/ktor-server-plugins/ktor-server-hsts/jvmAndNix/src/io/ktor/server/plugins/hsts/HSTS.kt#L108|HSTS https check>
<https://github.com/ktorio/ktor/blob/d424afeaa3f64f2c0745df15661808c85af8f1f1/ktor-server/ktor-server-core/jvmAndNix/src/io/ktor/server/response/ResponseCookies.kt#L31|Secure cookie https check>

Currently I just copied the entire HSTS plugin and removed that if check. Replacing all the code for cookies would be a lot more work.

I found issues for these:
<https://youtrack.jetbrains.com/issue/KTOR-4168/HSTS-plugin-hard-codes-port-443|hsts>
<https://youtrack.jetbrains.com/issue/KTOR-3159/Allow-to-set-secure-cookie-even-with-http-scheme|secure cookies>

I don't think there is a particular reason for it. That's just how it was implemented.