Cookie Without Secure Flag

Risk:
Low

Type:
Passive

CWE:
CWE-614

Summary: A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

Solution: Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

References: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

Free online web security scanner

Don't show website scan report rating on the leaderboard