Problem

The current implementation in server-ce/config/settings.js has two issues with environment variable handling:

1. OVERLEAF_SECURE_COOKIE: Uses incorrect boolean evaluation

secureCookie: process.env.OVERLEAF_SECURE_COOKIE != null,

The expression != null only checks if the variable exists, not its value:

• OVERLEAF_SECURE_COOKIE=false → evaluates to true (variable exists)
• OVERLEAF_SECURE_COOKIE=true → evaluates to true (variable exists)
• Unset → evaluates to false

Result: Users cannot disable secure cookies even when explicitly setting false.

2. OVERLEAF_BEHIND_PROXY: Hardcoded to true, ignoring environment variable

behindProxy: true,

The environment variable OVERLEAF_BEHIND_PROXY is completely ignored, making it impossible to disable proxy mode through configuration.

Impact

This is particularly problematic because the default configuration template in overleaf/toolkit at lib/config-seed/variables.env includes:

## Set for TLS via nginx-proxy
# OVERLEAF_BEHIND_PROXY=true
# OVERLEAF_SECURE_COOKIE=true

Users who uncomment these lines and set them to false (e.g., for local development or HTTP-only deployments) will find:

• OVERLEAF_SECURE_COOKIE=false doesn't work - secure cookies are still enabled
• OVERLEAF_BEHIND_PROXY=false is completely ignored - proxy mode is always on

This causes:

• Session cookies not being set in HTTP environments (blocking all logins with 403 CSRF errors)
• Incorrect proxy header handling
• Confusion and debugging difficulties for users running without a proxy

Solution

This PR fixes both issues:

1. OVERLEAF_SECURE_COOKIE: Changed to properly parse string values

secureCookie: process.env.OVERLEAF_SECURE_COOKIE === 'true',

2. OVERLEAF_BEHIND_PROXY: Changed to read from environment variable

behindProxy: process.env.OVERLEAF_BEHIND_PROXY === 'true',

Now the behavior is correct:

• OVERLEAF_SECURE_COOKIE=true → true
• OVERLEAF_SECURE_COOKIE=false → false
• OVERLEAF_BEHIND_PROXY=true → true
• OVERLEAF_BEHIND_PROXY=false → false
• Unset → false (safe default for development)

Testing

Tested with various configurations:

• ✅ Setting OVERLEAF_SECURE_COOKIE=false now correctly allows HTTP cookies
• ✅ Setting OVERLEAF_BEHIND_PROXY=false now correctly disables proxy mode
• ✅ Default behavior (unset) uses safe defaults
• ✅ Explicit true values work as expected
• ✅ HTTP-only deployment now works correctly without 403 CSRF errors

Breaking Changes

None. This fixes broken behavior while maintaining backward compatibility:

• Unset variables still default to false
• Setting to true continues to work as expected

Fixes #1032