Cookies Not Marked as Secure
Description
The application sets one or more cookies without the Secure flag attribute. The Secure flag is a browser directive that ensures cookies are only transmitted over encrypted HTTPS connections, never over unencrypted HTTP. Without this flag, cookies—including session identifiers and authentication tokens—may be sent in cleartext during HTTP requests, exposing them to interception by attackers on the network.
Remediation
Configure all cookies to include the Secure flag, especially those containing sensitive data such as session identifiers or authentication tokens. Implementation varies by platform:
Java (Servlet):
Cookie cookie = new Cookie("sessionId", sessionValue);
cookie.setSecure(true);
cookie.setHttpOnly(true);
response.addCookie(cookie);PHP:
setcookie("sessionId", $sessionValue, [
'secure' => true,
'httponly' => true,
'samesite' => 'Strict'
]);ASP.NET:
HttpCookie cookie = new HttpCookie("sessionId", sessionValue);
cookie.Secure = true;
cookie.HttpOnly = true;
Response.Cookies.Add(cookie);Node.js (Express):
res.cookie('sessionId', sessionValue, {
secure: true,
httpOnly: true,
sameSite: 'strict'
});Additionally, ensure your application is fully accessible over HTTPS and consider implementing HTTP Strict Transport Security (HSTS) to prevent downgrade attacks. Review all cookies set by your application and apply the Secure flag universally to prevent accidental transmission over insecure channels.