Skip to main content

Secure cookies and local JSS app development


Dealing with rejected cookies when developing locally against a secure Sitecore installation

From Sitecore 10.0.1 onwards, Sitecore sets the Secure flag on all cookies by default.

This can impact JSS local development, as the proxied Sitecore cookies (including analytics cookies) are rejected by the browser if your JSS application is not running under HTTPS. The application does not track visits, and it might not apply content personalization rules.

To solve this problem you have two options:

  • Securing your local JSS app.

  • Un-securing the Sitecore instance.

Securing your local JSS app

You can enable HTTPS in your local environment by using a local reverse proxy or a service such as ngrok.

If you are running Sitecore in containers for development (recommended), you can use the Traefik reverse proxy provided in the docker-compose environment.


The Sitecore Containers template for Next.js is pre-configured with the Traefik reverse proxy.

If you are using ngrok, you must rewrite the Host header to your local hostname. For example:

ngrok http -host-header=rewrite 3000

Un-securing the Sitecore instance

If the Sitecore instance does not require secure cookies, you can expect your local environment to work without cookie-related issues.


We strongly recommend you do not change the following settings for a production Sitecore instance.

To work around the secure cookies requirement, you can change the Sitecore web.config as follows:

  • In the httpCookies configuration, set requireSSL to false and sameSite to Unspecified.

  • In the sessionState configuration, set cookieSameSite to Unspecified.