Secure Cookie Flag Explained
The Secure cookie flag tells the browser to only send a cookie over an encrypted HTTPS connection, never over plain HTTP. This stops a network attacker from reading a session cookie as it travels over an insecure link — the kind of interception that public Wi-Fi and man-in-the-middle positions make possible.
What is the Secure flag?
Defined in the cookie specification (RFC 6265), the Secure attribute is set in the Set-Cookie header. Without it, a cookie is attached to requests over both HTTP and HTTPS. If any request to the site ever goes out over plain HTTP — a mistyped link, a stray resource, a downgrade attack — the cookie travels in cleartext and can be captured. Marking the cookie Secure means the browser withholds it entirely on HTTP, so it is only ever exposed inside TLS.
Example Set-Cookie with Secure
Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax; Path=/
Secure, HTTPS, and HSTS
The Secure flag assumes your site is served over HTTPS in the first place. It pairs naturally with HSTS, which forces the browser to use HTTPS for the whole site: HSTS guarantees the connection is encrypted, and Secure guarantees the cookie only rides that encrypted connection. Together they close the gap that SSL-stripping attacks aim for.
The __Secure- and __Host- prefixes
Browsers enforce extra rules on cookies whose names start with special prefixes. A cookie named __Secure- must carry the Secure flag; a cookie named __Host- must be Secure, have no Domain, and use Path=/. Using the __Host- prefix for session cookies is a strong, browser-enforced way to lock down scope and transport at once.
How to check the Secure flag
Confirm a site's cookies are marked Secure (along with HttpOnly and SameSite) by inspecting its Set-Cookie headers with the free HTTP headers checker.
Common mistakes
- Omitting Secure on session cookies. Any plaintext request then leaks the cookie. It should be on every sensitive cookie.
- Secure without HttpOnly and SameSite. Secure only protects transport; combine all three for full coverage.
- Forgetting
SameSite=Noneneeds Secure. A cross-site cookie must be Secure or the browser drops it.
Related guides
Secure is one of three cookie security flags, with HttpOnly and SameSite. It works hand in hand with HSTS and a valid TLS certificate.
Frequently asked questions
What does the Secure cookie flag do?
It makes the browser send the cookie only over HTTPS, never plain HTTP, so it cannot be intercepted on an unencrypted connection.
Is the Secure flag enough on its own?
No. It protects the cookie in transit but not from JavaScript (HttpOnly) or cross-site sending (SameSite). Use all three flags together.
What is the __Host- prefix?
A cookie name prefix the browser enforces: a __Host- cookie must be Secure, have no Domain, and use Path=/. It is a strong way to lock a session cookie's transport and scope.