Drop dependency on secure_headers, fix response headers (#15712)

* Drop dependency on secure_headers, use always_write_cookie instead

* Fix cookies in Tor Hidden Services by moving configuration to application.rb

* Instead of setting always_write_cookie at boot, monkey-patch ActionDispatch

config/initializers/devise.rb

@@ -9,6 +9,7 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
     value: session_id,
     expires: 1.year.from_now,
     httponly: true,
+    secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
     same_site: :lax,
   }
 end
@@ -19,6 +20,7 @@ Warden::Manager.after_fetch do |user, warden|
       value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'],
       expires: 1.year.from_now,
       httponly: true,
+      secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
       same_site: :lax,
     }
   else
@@ -227,6 +229,10 @@ Devise.setup do |config|
   # If true, extends the user's remember period when remembered via cookie.
   # config.extend_remember_period = false
 
+  # Options to be passed to the created cookie. For instance, you can set
+  # secure: true in order to force SSL only cookies.
+  config.rememberable_options = { secure: true }
+
   # ==> Configuration for :validatable
   # Range for password length.
   config.password_length = 8..72