* Determines if the search parameter cookie should be secure based on configuration and request.
     *
     * @param request The HTTP request
     * @return true if the cookie should have the secure flag set
     */
    protected boolean isSearchParameterCookieSecure(final HttpServletRequest request) {
        final FessConfig fessConfig = ComponentUtil.getFessConfig();
        final String secure = fessConfig.getCookieSearchParameterSecure();

  - 🤖 An automatically generated frontend client.
  - 🧪 [Playwright](https://playwright.dev) for End-to-End testing.
  - 🦇 Dark mode support.
- 🐋 [Docker Compose](https://www.docker.com) for development and production.
- 🔒 Secure password hashing by default.
- 🔑 JWT (JSON Web Token) authentication.
- 📫 Email based password recovery.
- ✅ Tests with [Pytest](https://pytest.org).
- 📞 [Traefik](https://traefik.io) as a reverse proxy / load balancer.

If you want to secure your API, there are several better things you can do, for example:

* Make sure you have well defined Pydantic models for your request bodies and responses.
* Configure any required permissions and roles using dependencies.

    title: Auth, user management and more for your B2B product
    img: https://fastapi.tiangolo.com/img/sponsors/propelauth.png
  - url: https://zuplo.link/fastapi-gh
    title: 'Zuplo: Deploy, Secure, Document, and Monetize your FastAPI'
    img: https://fastapi.tiangolo.com/img/sponsors/zuplo.png
  - url: https://liblab.com?utm_source=fastapi
    title: liblab - Generate SDKs from FastAPI

///

## `HTTPSRedirectMiddleware` { #httpsredirectmiddleware }

Enforces that all incoming requests must either be `https` or `wss`.

Any incoming request to `http` or `ws` will be redirected to the secure scheme instead.

{* ../../docs_src/advanced_middleware/tutorial001_py39.py hl[2,6] *}

## `TrustedHostMiddleware` { #trustedhostmiddleware }

* The **output model** should not have a password.
* The **database model** would probably need to have a hashed password.

/// danger

Never store user's plaintext passwords. Always store a "secure hash" that you can then verify.

If you don't know, you will learn what a "password hash" is in the [security chapters](security/simple-oauth2.md#password-hashing){.internal-link target=_blank}.

///

But we still want to set a custom `prefix` when including the `APIRouter` so that all its *path operations* start with `/admin`, we want to secure it with the `dependencies` we already have for this project, and we want to include `tags` and `responses`.

cookie.search.parameter.name=fsrp
# Whether to set HttpOnly attribute to the search parameter cookie.
cookie.search.parameter.http_only=true
# Whether to set Secure attribute to the search parameter cookie. Should be true in production environments using HTTPS.
cookie.search.parameter.secure=
# Max-Age (in seconds) for the search parameter cookie. Use -1 for session-only cookies.
cookie.search.parameter.max_age=60

<a href="https://zuplo.link/fastapi-gh" target="_blank" title="Zuplo: Deploy, Secure, Document, and Monetize your FastAPI"><img src="https://fastapi.tiangolo.com/img/sponsors/zuplo.png"></a>

		"../foo",
		"/foo",
		"a/b/../../../c",
	} {
		var buf bytes.Buffer
		tw := NewWriter(&buf)
		tw.WriteHeader(&Header{
			Name: path,
		})
		const securePath = "secure"
		tw.WriteHeader(&Header{
			Name: securePath,
		})
		tw.Close()

		tr := NewReader(&buf)
		h, err := tr.Next()
		if err != ErrInsecurePath {