Failing to set the 'secure' flag on a cookie can cause it to be sent in cleartext. This makes it easier for an attacker to intercept.

Always set the secure flag to `true` on a cookie before adding it to an HTTP response (if the default value is `false`).
  • Production Best Practices: Security:Use cookies securely.
  • NodeJS security cheat sheet:Set cookie flags appropriately.
  • express-session:cookie.secure.
  • cookie-session:Cookie Options.
  • express response.cookie.
  • Set-Cookie.
  • js-cookie.
    •