The session cookie is set with HttpOnly; SameSite=Lax; Path=/ but does not include the Secure flag. This means the cookie will be sent over plain HTTP connections.

Since the server binds to 127.0.0.1 by default and uses HTTP (not HTTPS), this is acceptable for localhost use. However, when --allow-network is used to bind to 0.0.0.0, cookies could be transmitted over insecure network connections and intercepted by an attacker.

0.70.5

Fix: Conditionally add ; Secure when served over HTTPS or when --allow-network is enabled:

const securePart = isHttps ? "; Secure" : "";
return `${SESSION COOKIE NAME}=${cookieValue}; HttpOnly; SameSite=Lax; Path=/${securePart}; Max-Age=${maxAge}`;

Do not use --allow-network over untrusted networks without a TLS-terminating reverse proxy.