secure
attribute PTC-W600346@app.get("/")
47def home():
48 response = flask.make_response()
49 response.set_cookie("userid", uuid4().hex)
Cookies set without the secure
flag can be observed by an unauthorized person, leading to a man-in-the-middle attack.
Generally, the production sites redirect any requests that are sent over HTTP to the same URL but on HTTPS.
In this case, make sure that these HTTP requests that are immediately redirected to HTTPS do not carry any cookie that contains sensitive information.
The secure
flag limits cookies to HTTPS traffic only so, the browser will never send secure cookies with requests that are not encrypted.
# The cookie is not secure here:
some_response.set_cookie('sensitive', 'some_value')
# The cookie is secure here:
some_response.set_cookie('sensitive', 'some_value', secure=True)
While this issue mostly makes sense if you're setting a sensitive cookie, DeepSource will flag all the cookies encountered without the secure
flag.
This is to ensure that you are aware about all the cookies set, and avoid false negatives.