Skip to main content

Cookie Secure.

Security Headers & TLS Config

Ensures cookies are only sent over HTTPS — prevents network interception

What does this check test?

The `Secure` flag is a cookie attribute that instructs the browser to only include the cookie in requests made over HTTPS connections. A cookie with the Secure flag will never be sent over plaintext HTTP, even if the user navigates to an HTTP version of the site. This prevents the cookie from being transmitted in cleartext where it could be intercepted by network-level attackers.

Why does it matter?

Without the Secure flag, cookies (including session tokens) are sent over HTTP requests, making them visible to anyone monitoring the network. On public Wi-Fi or compromised networks, an attacker can passively capture cookies from unencrypted HTTP traffic using tools like Wireshark. Even if your site redirects HTTP to HTTPS, the initial HTTP request may include cookies before the redirect occurs. The Secure flag ensures cookies are never exposed in transit regardless of how the user accesses your site.

Who is affected?

Every cookie that contains sensitive data must have the Secure flag set. This includes session identifiers, authentication tokens, CSRF tokens, and any cookie carrying user-specific information. Since all modern production sites should be served over HTTPS, there is rarely a reason to omit the Secure flag. The only exception is during local development over HTTP, where you may need to conditionally omit it.

Where does this apply?

The Secure flag is set alongside other cookie attributes in the `Set-Cookie` header or in your server-side cookie configuration. Review all cookies set by your application, including those set by third-party libraries and middleware. Check browser DevTools under Application > Cookies and verify the Secure column is checked for all sensitive cookies.

How to fix it

Add the Secure flag when creating cookies.

Node.js / Express

js 
res.cookie('session', token, {
  secure: true,
  httpOnly: true,
  sameSite: 'lax'
});

// For local development, conditionally set the flag:
res.cookie('session', token, {
  secure: process.env.NODE_ENV === 'production',
  httpOnly: true
});

Django

python 
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

Flask

python 
app.config['SESSION_COOKIE_SECURE'] = True

Next.js

ts 
response.cookies.set('session', token, {
  secure: true,
  httpOnly: true,
  sameSite: 'lax'
});

Spring Boot

java 
server.servlet.session.cookie.secure=true

the raw header

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax; Path=/
Always deploy the Secure flag together with HttpOnly and SameSite for comprehensive cookie protection.

References

AppVet checks Cookie Secure automatically

Run a free security scan and get a full report with actionable fixes, including a Fix with AI prompt you can paste into any coding tool.

Run Audit
← All checks