From 5a33d6a2ce183e5c09d1eee37265c334b3c15eb7 Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Fri, 15 Sep 2023 10:21:12 -0500
Subject: [PATCH] Add SESSION_SECURE_COOKIE to the security recommendations
 page

---
 doc/General/Security.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/doc/General/Security.md b/doc/General/Security.md
index ea8e8bb80771..b06e1e072cfe 100644
--- a/doc/General/Security.md
+++ b/doc/General/Security.md
@@ -10,10 +10,18 @@ should show that we take things seriously.
 As with any system of this nature, we highly recommend that you
 restrict access to the install via a firewall or VPN.
 
+Please ensure you keep your install [up to date](Updating.md).
+
+### Enable HTTPS
+
 It is also highly recommended that the Web interface is protected with
 an SSL certificate such as ones provided by [LetsEncrypt](http://www.letsencrypt.org).
 
-Please ensure you keep your install [up to date](Updating.md).
+### Secure Session Cookies
+
+Once you have enabled HTTPS for your install, you should set `SESSION_SECURE_COOKIE=true`
+in your .env file.  This will require cookies to be transferred by secure protocol and
+prevent any MiM attacks against it.
 
 ### Trusted Proxies