cookie-secure-flag-not-set

Ensure cookies are set to secure

When setting cookies, the use of the secure flag ensures that the cookie will only be sent over an encrypted HTTPS connection that uses TLS, and not over an unencrypted HTTP connection. Cookies should always set the secure=true flag if the cookie contains any sensitive data (session) or user data (personal identifiable information, settings, app specific info). Non-sensitive cookies (like analytics) may not need to be protected with the secure flag if your site contains pages delivered via HTTP.

Examples

Insecure Example

Node.js

// Example 1 - express-session
// explicitly turned off
app.use(session({
    secret: 'keyboard cat',
    resave: true,
    saveUninitialized: true,
    cookie: { secure: false }
}))

// by default this is not set to true! (dangerous)
app.use(session({
    secret: 'keyboard cat',
    resave: true,
    saveUninitialized: true
}))

Secure Example

Node.js

// Example 1 - express-session
app.use(session({
    secret: 'keyboard cat',
    resave: true,
    saveUninitialized: true,
    cookie: { secure: true }
}))