Setting the 'secure' flag on a cookie to False can cause it to be sent in cleartext. Setting the 'httponly' flag on a cookie to False may allow attackers access it via JavaScript. Setting the 'samesite' flag on a cookie to 'None' will make the cookie to be sent in third-party contexts which may be attacker-controlled.

Always set secure to True or add "; Secure;" to the cookie's raw value.

Always set httponly to True or add "; HttpOnly;" to the cookie's raw value.

Always set samesite to Lax or Strict, or add "; SameSite=Lax;", or "; Samesite=Strict;" to the cookie's raw header value.

This example shows two ways of adding a cookie to a Flask response. The first way uses set_cookie's secure flag and the second adds the secure flag in the cookie's raw value.

Detectify: Cookie lack Secure flag.

PortSwigger: TLS cookie without secure flag set.