Authentication cookie missing `Secure` flag

The JWT authentication cookie was set with `secure: false`, allowing it to be transmitted over plaintext HTTP and intercepted by a network-positioned attacker.

The JWT authentication cookie was set with secure: false, allowing it to be transmitted over plaintext HTTP and intercepted by a network-positioned attacker who could then impersonate the user with their full admin scope.