pub fn secure_cookies() -> boolExpand description
Whether auth cookies should carry the Secure attribute (sent only over
HTTPS). Defaults to true; set INSECURE_COOKIES=1 for local plain-HTTP
development. Bearer cookies (access/refresh tokens) must be Secure in
production so they can’t leak over a downgraded HTTP request.