Skip to main content

The cookie is missing security flag Secure

Back to rules list


It is recommended to specify the Secure flag to new cookie.

Risk

The Secure flag is a directive to the browser to make sure that the cookie is not sent for insecure communication (http://).

Vulnerable Code

var cookie = new HttpCookie("test");

Solution

<httpCookies requireSSL="true" [..] />

var cookie = new HttpCookie("test");
cookie.Secure = true; //Add this flag
cookie.HttpOnly = true;

References

CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE-315: Cleartext Storage of Sensitive Information in a Cookie
CWE-311: Missing Encryption of Sensitive Data
OWASP: Secure Flag
Rapid7: Missing Secure Flag From SSL Cookie