chg: [config] Force usage of secure cookie for session and csrf protection

config/bootstrap.php

@@ -173,6 +173,14 @@ Mailer::setConfig(Configure::consume('Email'));
 Log::setConfig(Configure::consume('Log'));
 Security::setSalt(Configure::consume('Security.salt'));
 
+Configure::write('Session', [
+    'defaults' => 'php',
+    'ini' => [
+        'session.cookie_httponly' => true,
+        'session.cookie_secure' => true,
+    ]
+]);
+
 /*
  * Setup detectors for mobile and tablet.
  */

config/routes.php

@@ -49,6 +49,7 @@ $routes->scope('/', function (RouteBuilder $builder) {
     // Register scoped middleware for in scopes.
     $builder->registerMiddleware('csrf', new CsrfProtectionMiddleware([
         'httponly' => true,
+        'secure' => true,
     ]));
     /*
      * Apply a middleware to the current route scope.