Cookie Flags: Secure
Purpose
Why use this header at all?
The "Secure Flag" is a cookie attribute that informs the user's browser to prevent transmission of this cookie over HTTP connections, preventing accential unencrypted leakage of sessions and reducing the value of HTTP downgrade attacks.
Recommendation
Consider the Impact of Compliance section below to see if this recommendation works for you.
If your site supports HTTPS, and there is no technical reason you need to support the transmission of ccokies via HTTP, enable this flag.
Risk Mitigated
By following this recommendation, what risk is mitigated?
Any sites that leverage cookies for session management are at risk of MiTM session hijacking.
Impact of Compliance
By using this header, you may expect these changes in your site's functionality
If your site leverages mixed content (that is, a mixture of HTTP and HTTPS), enabling this flag will cause those pages to miss the session cookie. Potentially causing intermittent session issues.
Next Steps
What you can do to get there
Some servers and programming languages have a configuration file (such as PHP.INI) that will allow you to automatically set this attribute when using the in-built cookie mechanisms. If your developers have implemented their own cookie/session management techniques, they may need to modify their code to comply.
Example
What this header may look like when implemented securely
Set-Cookie: {cookieName}={cookieValue}; Secure
(This ignores other cookie parameters, such as path, expires, and other recommended headers.)
Read More!
Welcome! The library is new, and has some content to read over -- We'll be adding more soon!
- Cache Control
- Cookie Flags: Secure
- Cookie Flags: HTTPOnly
- HTTP Strict Transport Security (HSTS)
- HTTP Public Key Pinning (HPKP)
- Pragma
- Server
- X-Frame-Options
- X-Powered-By
- X-XSS-Protection