Cookies without the Secure flag set may be transmitted using HTTP instead of HTTPS. This leaves them vulnerable to being read by a third party attacker. If a sensitive cookie such as a session key is intercepted this way, it would allow the attacker to perform actions on a user's behalf.

Always set secure to True, or add ; Secure; to the cookie's raw header value, to ensure SSL is used to transmit the cookie with encryption.

In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the case marked BAD they are not set.
  • Detectify: Cookie lack Secure flag.
  • PortSwigger: TLS cookie without secure flag set.
  • MDN: Set-Cookie.
    •