Cookies without the Secure flag set may be transmitted using HTTP instead of HTTPS, which leaves them vulnerable to reading by a third party.

Cookies without the HttpOnly flag set are accessible to JavaScript running in the same origin. In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script.

Cookies with the SameSite attribute set to 'None' will be sent with cross-origin requests, which can be controlled by third-party JavaScript code and allow for Cross-Site Request Forgery (CSRF) attacks.

Always set secure to True or add "; Secure;" to the cookie's raw value.

Always set httponly to True or add "; HttpOnly;" to the cookie's raw value.

Always set samesite to Lax or Strict, or add "; SameSite=Lax;", or "; Samesite=Strict;" to the cookie's raw header value.

In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the cases marked BAD they are not set.

Detectify: Cookie lack Secure flag.

PortSwigger: TLS cookie without secure flag set.