Cookies missing the Secure flag on an HTTPS site

The Secure flag on a cookie tells the browser to only ever send that cookie over an encrypted HTTPS connection, never over unencrypted HTTP. Without this flag, if a user's connection is briefly downgraded to HTTP (a known attack technique), their cookie — which may contain a login session — can be intercepted by an attacker on the same network. Set the Secure attribute on all cookies, especially those used for login sessions. This is typically a one-line change in your server or application framework configuration.

Why this matters

Without this flag, if a user's connection is briefly downgraded to HTTP (a known attack technique), their cookie — which may contain a login session — can be intercepted by an attacker on the same network.

How to fix it

Set the Secure attribute on all cookies, especially those used for login sessions. This is typically a one-line change in your server or application framework configuration.