From 40a5f94941086af020c1eb2a501cddd00a1034f7 Mon Sep 17 00:00:00 2001
From: Khwezi Mngoma <khwezi@msn.com>
Date: Sun, 14 Jun 2026 22:50:31 +0200
Subject: [PATCH] Refactored CheckSameSite

---
 LiteCharms.Features/Extensions/Api.cs | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/LiteCharms.Features/Extensions/Api.cs b/LiteCharms.Features/Extensions/Api.cs
index bd659e3..4cda1da 100644
--- a/LiteCharms.Features/Extensions/Api.cs
+++ b/LiteCharms.Features/Extensions/Api.cs
@@ -137,8 +137,17 @@ public static class Api
     private static void CheckSameSite(HttpContext httpContext, CookieOptions options)
     {
         if (options.SameSite == SameSiteMode.None)
-            if (!httpContext.Request.IsHttps && httpContext.Request.Headers["X-Forwarded-Proto"] != "https") 
-                options.SameSite = SameSiteMode.Unspecified;
+        {
+            bool isSecure = httpContext.Request.IsHttps;
+
+            if (!isSecure && httpContext.Request.Headers.TryGetValue("X-Forwarded-Proto", out var proto))
+                isSecure = string.Equals(proto, "https", StringComparison.OrdinalIgnoreCase);
+
+            if (!isSecure && httpContext.Request.Headers.TryGetValue("Forwarded", out var forwarded))
+                isSecure = forwarded.ToString().Contains("proto=https", StringComparison.OrdinalIgnoreCase);
+                        
+            if (!isSecure) options.SameSite = SameSiteMode.Unspecified;
+        }
     }
 
     public static IServiceCollection AddLiteCharmsApiSecurity(this IServiceCollection services, IConfiguration configuration)