Cookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.

Always transmit sensitive cookies using SSL by setting the secure attribute on the cookie.

The following example stores an authentication token in a cookie that can be transmitted in clear text.

To force the cookie to be transmitted using SSL, set the secure attribute on the cookie.

ExpressJS: Use cookies securely.

OWASP: Set cookie flags appropriately.

Mozilla: Set-Cookie.