Audit required: Cookie is transmitted over an insecure connection CS-A1009

Setting Secure to false means that the cookie is allowed to be transmitted over an insecure connection. It is always recommended that you send and receive information only via a secure line.

Examples

Bad Practice

cookie.Secure = false;

Recommended

[Flags]
cookie.Secure = true;

Reference

• HttpCookie.Secure
• A04:2021 – Insecure Design
• A05:2021 – Security Misconfiguration
• CWE-311: Missing Encryption of Sensitive Data
• CWE-315: Cleartext Storage of Sensitive Information in a Cookie
• CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute