fix: mark default session cookie as Secure in production

[andguy95]

WHY are these changes introduced?

Strengthen the default security of session cookie configuration and post-login redirect handling for secure cookie attributes and redirect validation.

WHAT is this pull request doing?

Session cookie hardening (templates/skeleton/ + 10 example files):

• Added secure: process.env.NODE_ENV === 'production' to all createCookieSessionStorage cookie configs
• This only affects newly scaffolded projects and merchants who copy the example code

Redirect validation (packages/hydrogen/src/customer/customer.ts):

• Replaced getRedirectUrl (which accepted any same-origin URL regardless of protocol) with getSafeCustomerAccountRedirectPath — enforces HTTPS protocol, same-origin check, and normalizes output to a relative path
• Added getRedirectPathFromSearchParams to extract and validate return_to/redirect query params
• Applied validation at both login() (when the redirect path is stored) and authorize() (when it's read back from the session) — defense-in-depth against session tampering
• Added warnRedirectUrlRejected() that fires in development mode with the [h2:warn:customerAccount] prefix when a redirect URL is rejected
• Unsafe redirects silently fall back to /account

Tests (packages/hydrogen/src/customer/customer.test.ts):

• 8 new test cases covering: path-only, HTTPS same-origin, HTTP same-origin, cross-origin HTTPS, Referer-based redirects, and various attack vectors (javascript:, data:, //evil.com, malformed URLs)
• Authorize-side tests for HTTPS same-origin normalization, HTTP rejection, and cross-origin rejection of stored session redirect paths
• Extracted mockSuccessfulTokenExchange() helper to reduce duplication

HOW to test your changes?

1. Run unit tests: pnpm vitest run packages/hydrogen/src/customer/customer.test.ts — 103 pass, 0 fail
2. Run skeleton dev server, inspect session cookie in DevTools → Application → Cookies — Secure flag should be off in dev,
3. Can deploy app to production and session cookie in DevTools → Application → Cookies — Secure flag should be on in production (pnpm build && NODE_ENV=production pnpm start)

Post-merge steps

None required.

Checklist

• I've read the Contributing Guidelines
• I've considered possible cross-platform impacts (Mac, Linux, Windows)
• I've added a changeset if this PR contains user-facing or functional changes. Test changes or internal-only config changes do not require a changeset.
• I've added tests to cover my changes
• I've added or updated the documentation

[shopify]

Oxygen deployed a preview of your an-mark-session-cookie-as-secure branch. Details:

Storefront	Status	Preview link	Deployment details	Last update (UTC)
Skeleton (skeleton.hydrogen.shop)	✅ Successful (Logs)	Preview deployment	Inspect deployment	June 16, 2026 8:17 PM

Learn more about Hydrogen's GitHub integration.