Secure Cookie Flag
What is Secure Cookie Flag?
Secure Cookie FlagA cookie attribute that tells the browser to send the cookie only over HTTPS, preventing exposure in cleartext on the network.
The 'Secure' attribute on a 'Set-Cookie' header restricts a cookie to encrypted connections: the browser will never transmit it over plain HTTP, eliminating the most common interception path for session tokens and other sensitive values. It is mandatory whenever 'SameSite=None' is used and required by most modern privacy regimes for authentication cookies. 'Secure' must be combined with 'HttpOnly', 'SameSite' and an appropriate scope ('Domain', 'Path') for full hardening, and the site must enforce HTTPS end-to-end (HSTS, redirects) so the flag is meaningful. Setting a 'Secure' cookie via a plain-HTTP response is rejected by modern browsers.
● Examples
- 01
'Set-Cookie: id=eyJ...; Secure; HttpOnly; SameSite=Lax; Path=/'.
- 02
API tokens delivered as 'Set-Cookie: api_token=...; Secure; SameSite=Strict; HttpOnly'.
● Frequently asked questions
What is Secure Cookie Flag?
A cookie attribute that tells the browser to send the cookie only over HTTPS, preventing exposure in cleartext on the network. It belongs to the Application Security category of cybersecurity.
What does Secure Cookie Flag mean?
A cookie attribute that tells the browser to send the cookie only over HTTPS, preventing exposure in cleartext on the network.
How do you defend against Secure Cookie Flag?
Defences for Secure Cookie Flag typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Secure Cookie Flag?
Common alternative names include: Secure flag.