From fa6fa9a77c656aa6d510c3036d63e8c7db3f8f4d Mon Sep 17 00:00:00 2001
From: xfy <i@rua.plus>
Date: Fri, 12 Jun 2026 17:31:20 +0800
Subject: [PATCH] docs: document COOKIE_SECURE and TRUSTED_PROXY_COUNT

---
 AGENTS.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/AGENTS.md b/AGENTS.md
index 4b676e4..001eea0 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -45,6 +45,13 @@ DB_POOL_SIZE=20             # database connection pool size
 SSR_CACHE_SECS=3600         # incremental SSR cache TTL
 ```
 
+Session / security tuning:
+
+```
+COOKIE_SECURE=false         # set true/1/yes to add Secure flag to session cookie
+TRUSTED_PROXY_COUNT=0       # number of reverse proxies in front of the app; used to extract real client IP from X-Forwarded-For
+```
+
 Run migrations before first dev server start:
 
 ```bash