Secure Flag

The Secure flag on a cookie instructs browsers to only send the cookie over HTTPS connections, never over plain HTTP. This prevents cookies from being stolen by network attackers when a user accidentally visits the HTTP version of your site before being redirected to HTTPS. Any cookie containing sensitive information or session data should have the Secure flag set. When combined with HSTS, the Secure flag ensures cookies are never exposed over cleartext connections.

Why it matters for your website

• 1Directly impacts resistance to account takeover and credential theft
• 2Required for SOC 2, HIPAA, and PCI-DSS compliance
• 3Misconfiguration can expose all user accounts to attack