保護DataHogo
Security Encyclopedia/Headers & Infrastructure
mediumCWE-614A02:2021

Cookies Without Secure Flag

Session cookies set without the Secure flag, allowing them to be transmitted over unencrypted HTTP connections and intercepted by attackers on the network.

How It Works

A cookie without `Secure` will be sent by the browser on both HTTP and HTTPS requests. If a user visits the HTTP version of your site (even accidentally), their session cookie flies across the network in plaintext. Anyone sniffing the network — on public Wi-Fi or a corporate proxy — can capture and use it.

Vulnerable Code
// BAD: session cookie without Secure flag
res.setHeader('Set-Cookie', `session=${token}; HttpOnly; Path=/`);
Secure Code
// GOOD: add Secure flag in production
const isProduction = process.env.NODE_ENV === 'production';
res.setHeader(
  'Set-Cookie',
  `session=${token}; HttpOnly; Path=/; SameSite=Lax${isProduction ? '; Secure' : ''}`
);

Real-World Example

Hotel Wi-Fi networks have been used to capture unprotected session cookies from travelers using apps that serve cookies without the Secure flag, allowing attackers to hijack accounts.

How to Prevent It

  • Always set the Secure flag on all cookies in production
  • Use a cookie library (cookie, tough-cookie) that makes Secure the default
  • Conditionally enable Secure based on NODE_ENV to keep local dev working
  • Combine with HttpOnly and SameSite for defense-in-depth

Affected Technologies

nodejsNext.jsPythonPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Missing Content-Security-Policy Header

medium

The Content-Security-Policy (CSP) header is absent, leaving browsers without instructions on which sources of scripts, styles, and resources to trust.

CWE-358A05:2021

Missing X-Frame-Options Header

medium

The X-Frame-Options header is absent, allowing attackers to embed your app in an invisible iframe and trick users into clicking your UI elements (clickjacking).

CWE-1021A05:2021

Missing X-Content-Type-Options Header

low

The X-Content-Type-Options: nosniff header is absent, allowing browsers to guess (sniff) the content type of a response and potentially execute content as script.

CWE-430A05:2021

Missing HTTP Strict Transport Security (HSTS)

medium

The Strict-Transport-Security header is absent, allowing browsers to connect over plain HTTP and enabling downgrade attacks where an attacker intercepts unencrypted traffic.

CWE-319A02:2021