cookie-secure-flag-not-set¶
Ensure cookies are set to secure
When setting cookies, the use of the secure
flag ensures that the cookie will only be sent over an encrypted HTTPS connection that uses TLS, and not over an unencrypted HTTP connection. Cookies should always set the secure=true
flag if the cookie contains any sensitive data (session) or user data (personal identifiable information, settings, app specific info). Non-sensitive cookies (like analytics) may not need to be protected with the secure
flag if your site contains pages delivered via HTTP.
Examples¶
Insecure Example
// Example 1 - express-session
// explicitly turned off
app.use(session({
secret: 'keyboard cat',
resave: true,
saveUninitialized: true,
cookie: { secure: false }
}))
// by default this is not set to true! (dangerous)
app.use(session({
secret: 'keyboard cat',
resave: true,
saveUninitialized: true
}))
Secure Example
// Example 1 - express-session
app.use(session({
secret: 'keyboard cat',
resave: true,
saveUninitialized: true,
cookie: { secure: true }
}))