Cookies with Secure flag set over insecure connection
Description
The application sets one or more cookies with the Secure flag enabled over an unencrypted HTTP connection. While the Secure flag is a critical security control that instructs browsers to only transmit cookies over HTTPS, setting it during an HTTP session creates a configuration inconsistency. When a cookie is marked as Secure but set over HTTP, browsers will accept the cookie but will never send it back to the server (since the connection is not secure), effectively breaking the intended functionality. This represents a configuration error rather than a direct security vulnerability.
Remediation
Ensure that all cookies with the Secure flag are set exclusively over HTTPS connections. Follow these steps to remediate:
1. Configure your web server or application to redirect all HTTP traffic to HTTPS, ensuring the application is only accessible via encrypted connections.
2. If HTTPS cannot be implemented immediately, remove the Secure flag from cookies until secure connections are available. Example for common frameworks:
// PHP - Remove Secure flag for HTTP
setcookie('session_id', $value, [
'secure' => false, // Only set to true when using HTTPS
'httponly' => true
]);
// Java Servlet - Remove Secure flag
Cookie cookie = new Cookie("session_id", value);
cookie.setSecure(false); // Only set to true when using HTTPS
cookie.setHttpOnly(true);3. Once HTTPS is fully implemented, re-enable the Secure flag on all sensitive cookies, particularly session cookies:
// After HTTPS is enabled
setcookie('session_id', $value, [
'secure' => true,
'httponly' => true,
'samesite' => 'Strict'
]);4. Verify that your application functions correctly and that cookies are being transmitted as expected after making these changes.