Skip to main content
Version: v1

Cookie Without Secure Flag

Cookie Without Secure Flag

What is it?

The API endpoint or server is setting a cookie without the secure flag, which means that the cookie can be accessed via unencrypted connections.

References

Test case FAQs

When is this test case applicable?

This is applicable for all API endpoints when the Baseline security category is enabled in test plans.

How does it work?

Responses sent by the API server are analyzed for the 'Set-Cookie' header without the 'Secure' flag.

What is the solution?

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.