Skip to main

Cookie Flags: Secure


Why use this header at all?

The "Secure Flag" is a cookie attribute that informs the user's browser to prevent transmission of this cookie over HTTP connections, preventing accential unencrypted leakage of sessions and reducing the value of HTTP downgrade attacks.


Consider the Impact of Compliance section below to see if this recommendation works for you.

If your site supports HTTPS, and there is no technical reason you need to support the transmission of ccokies via HTTP, enable this flag.

Risk Mitigated

By following this recommendation, what risk is mitigated?

Any sites that leverage cookies for session management are at risk of MiTM session hijacking.

Impact of Compliance

By using this header, you may expect these changes in your site's functionality

If your site leverages mixed content (that is, a mixture of HTTP and HTTPS), enabling this flag will cause those pages to miss the session cookie. Potentially causing intermittent session issues.

Next Steps

What you can do to get there

Some servers and programming languages have a configuration file (such as PHP.INI) that will allow you to automatically set this attribute when using the in-built cookie mechanisms. If your developers have implemented their own cookie/session management techniques, they may need to modify their code to comply.


What this header may look like when implemented securely

Set-Cookie: {cookieName}={cookieValue}; Secure

(This ignores other cookie parameters, such as path, expires, and other recommended headers.)

Read More!

Welcome! The library is new, and has some content to read over -- We'll be adding more soon!