Cookies that are not marked as secure can be transferred via an unencrypted connection. A man-in-the-middle attack can be used to get the contents of these cookies.

Table of contents
  1. Secure Cookies Security Assessment
  2. Secure Cookies Vulnerability Information
  3. How to Enable Secure Cookies

Secure Cookies Security Assessment

Security Assessment Increase TLS Key Size

CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Secure Cookies Vulnerability Information

Cookies that are not marked as secure can be transferred via an unencrypted connection. A man-in-the-middle attack can be used to get the contents of these cookies.

Local scripts can read cookies that are not marked as HTTP-only. In the case of a Cross-Site-Scripting (XSS) attack, an attacker can read these cookies.

Depending on the cookie content, think of enabling both settings for all cookies. This is especially important for session cookies.

Find vulnerabilities in your cookies

SCAN FOR FREE NOW

How to Enable Secure Cookies

To set cookies to secure an HTTP-only, you need to configure the web framework which issues the cookies. Follow these guides for the correct settings:

PHP

In PHP, configure the cookie settings for all delivered websites. Set the following in your /etc/php/php.ini file:

session.cookie_secure = 1
session.cookie_httponly = 1

Django

In Django, make the following cookie settings in your projects preferences file:

SESSION_COOKIE_HTTPONLY=true
SESSION_COOKIE_SECURE=true

See if Your Web App or API Has Security Vulnerabilities

SCAN FOR FREE NOW