Fixed
SESSION_SECUREnow defaults tofalseso that direct HTTP deployments (TrueNAS, bare Docker, Podman without a reverse proxy) work out of the box. Previously the default wastrue, which caused login to return 200 but every subsequent request to return 401 — the browser silently dropped theSecurecookie over plain HTTP. SetSESSION_SECURE=truein your.envwhen running behind an HTTPS reverse proxy (Caddy, Nginx, Traefik).
Docker Compose and Podman Compose deployments are unaffected — all Compose files already injected SESSION_SECURE=false via ${SESSION_SECURE:-false} and continue to behave identically.
Full changelog: https://github.com/ulsklyc/oikos/blob/main/CHANGELOG.md