Home/ Glossary/ Secure Cookie Flag

Secure Cookie Flag (Secure Flag)

Security Glossary - Web Security

Definition: The Secure flag on a cookie instructs the browser to only send the cookie over HTTPS connections, never over plain HTTP. This prevents session cookies and other sensitive cookies from being transmitted in cleartext where they could be intercepted by network attackers.

Why You Should Care About Secure Flag

Without the Secure flag, a cookie set over HTTPS can still be sent over HTTP if the user navigates to or is redirected to an HTTP URL. An attacker performing a MITM attack could downgrade the connection to HTTP and capture the cookie in transit. HSTS mitigates this for the domain itself, but the Secure flag provides defense at the cookie level.

The Secure flag should be set on all session cookies and any cookies containing sensitive data. On sites that exclusively use HTTPS (which should be all sites), there is no reason not to set the Secure flag on every cookie.

Note that the Secure flag does not encrypt the cookie value - it only restricts the cookie to HTTPS connections. The cookie value is still visible in browser developer tools and to JavaScript (unless HttpOnly is also set). For storing sensitive data, encrypt the cookie value server-side or use server-side sessions.

Checking Your Setup

A security audit checks the Secure flag on all cookies. Verify it is set on session cookies and any cookies containing tokens, identifiers, or sensitive data. If your site uses HTTPS exclusively (as it should), set Secure on all cookies.

Run a Security Audit

Questions and Answers

Is the Secure flag enough to protect cookies?
No. The Secure flag prevents HTTP transmission, but cookies also need HttpOnly (prevent JavaScript access) and SameSite (prevent cross-site sending). All three flags together cover cookie protection end to end.
Will the Secure flag work on localhost?
Most browsers treat localhost as a secure context, so Secure cookies work during local development. However, if you access your dev server over HTTP with a non-localhost hostname, Secure cookies will not be sent.

Learn More

Cookie Security Flags HttpOnly Cookie Flag SameSite Cookie Attribute Hypertext Transfer Protocol Secure HTTP Strict Transport Security
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.