Added secure flag to cookies and enabled HSTS

config/environments/production.rb

@@ -159,4 +159,7 @@
 
   # Do not dump schema after migrations.
   config.active_record.dump_schema_after_migration = false
+
+  # Enable HSTS in production mode
+  config.ssl_options = { hsts: { preload: true, expires: 1.year, subdomains: true } }
 end

config/initializers/session_store.rb

@@ -17,8 +17,14 @@
 # frozen_string_literal: true
 
 if ENV['LOADBALANCER_ENDPOINT'].present?
-  Rails.application.config.session_store :cookie_store, key: '_greenlight-3_0_session', domain: ENV.fetch('SESSION_DOMAIN_NAME', nil),
-                                                        path: ENV.fetch('RELATIVE_URL_ROOT', '/')
+  Rails.application.config.session_store :cookie_store,
+                                         key: '_greenlight-3_0_session',
+                                         domain: ENV.fetch('SESSION_DOMAIN_NAME', nil),
+                                         secure: Rails.env.production?,
+                                         path: ENV.fetch('RELATIVE_URL_ROOT', '/')
 else
-  Rails.application.config.session_store :cookie_store, key: '_greenlight-3_0_session', path: ENV.fetch('RELATIVE_URL_ROOT', '/')
+  Rails.application.config.session_store :cookie_store,
+                                         key: '_greenlight-3_0_session',
+                                         secure: Rails.env.production?,
+                                         path: ENV.fetch('RELATIVE_URL_ROOT', '/')
 end

db/data/20231213203353_add_default_recording_visibility_to_settings.rb

@@ -4,6 +4,9 @@ class AddDefaultRecordingVisibilityToSettings < ActiveRecord::Migration[7.1]
   def up
     setting = Setting.create!(name: 'DefaultRecordingVisibility')
     SiteSetting.create!(setting:, value: 'Published', provider: 'greenlight')
+    Tenant.each do |tenant|
+      SiteSetting.create!(setting:, value: 'Published', provider: tenant.name)
+    end
   end
 
   def down