feat: Add strict transport security and secure cookie options (#741)

coderd/coderd.go

@@ -29,6 +29,8 @@ type Options struct {
 
 	AWSCertificates      awsidentity.Certificates
 	GoogleTokenValidator *idtoken.Validator
+
+	SecureAuthCookie bool
 }
 
 // New constructs the Coder API into an HTTP handler.

coderd/users.go

@@ -417,6 +417,7 @@ func (api *api) postLogin(rw http.ResponseWriter, r *http.Request) {
 		Path:     "/",
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
+		Secure:   api.SecureAuthCookie,
 	})
 
 	render.Status(r, http.StatusCreated)