fix(backend): remove unused secure cookie config

apps/backend/config.example.yaml

@@ -33,9 +33,6 @@ cookie:
   # Set this when frontend and API are on different subdomains (e.g., "app.com" for web.app.com + api.app.com).
   # Leave empty for same-host cookies (localhost, single domain).
   # domain: app.com
-  # Secure flag for cookies. If not set, automatically determined from request protocol (true for HTTPS, false for HTTP).
-  # Set explicitly to override automatic detection (useful for local development with HTTPS).
-  # secure: false
 
 cors:
   # Allowed origins for cross-origin requests.

apps/backend/internal/auth/cookies.go

@@ -11,10 +11,6 @@ type CookieConfig struct {
 	// Domain for cross-subdomain cookies (e.g., "app.com" for web.app.com + api.app.com).
 	// Leave empty for same-host cookies (localhost, single domain).
 	Domain string
-	// Secure controls whether cookies are only sent over HTTPS.
-	// If nil, automatically set based on request protocol (true for HTTPS, false for HTTP).
-	// If explicitly set, this value is used regardless of protocol.
-	Secure *bool
 }
 
 // authCookies returns auth cookies from the given fiber context.
@@ -33,8 +29,7 @@ func authCookies(c *fiber.Ctx) map[string]string {
 }
 
 // SetAuthCookies sets HTTP-only auth cookies with security settings derived from the request.
-// Secure flag is based on actual protocol (works automatically with proxies/tunnels),
+// Secure flag is based on the request protocol (works automatically with proxies/tunnels).
-// unless explicitly set in cfg.Secure.
 func SetAuthCookies(c *fiber.Ctx, accessToken, refreshToken string, cfg CookieConfig) {
 	secure := c.Protocol() == "https"
 

apps/backend/internal/drexa/config.go

@@ -56,10 +56,9 @@ type StorageConfig struct {
 
 // CookieConfig controls auth cookie behavior.
 // Domain is optional - only needed for cross-subdomain setups (e.g., "app.com" for web.app.com + api.app.com).
-// Secure flag is derived from the request protocol automatically, unless explicitly set.
+// Secure flag is derived from the request protocol automatically.
 type CookieConfig struct {
 	Domain string `yaml:"domain"`
-	Secure *bool  `yaml:"secure"`
 }
 
 // CORSConfig controls Cross-Origin Resource Sharing behavior.

apps/backend/internal/drexa/server.go

@@ -110,7 +110,6 @@ func NewServer(c Config) (*Server, error) {
 
 	cookieConfig := auth.CookieConfig{
 		Domain: c.Cookie.Domain,
-		Secure: c.Cookie.Secure,
 	}
 
 	authMiddleware := auth.NewAuthMiddleware(authService, db, cookieConfig)

dev/docs/backend.md

@@ -44,4 +44,4 @@
 # Configuration
 
 - Config is YAML-driven; see `apps/backend/config.example.yaml` for required fields and env overrides.
-- Keep CORS and cookie settings aligned with the frontend deployment topology.
+- Keep CORS and cookie settings aligned with the frontend deployment topology; cookie `Secure` is derived from request protocol.