Avery235
Reputation: 5316
Secure: true on cookie for forced https
If my website has HSTS / forced https (i.e. user won't be able to access http version of the website), is there any point in setting secure: true for the cookies?
Upvotes: 2
Views: 6528
Answers (1)
Paul
Reputation: 141827
Absolutely, there is a point. Without secure: true a browser would send those cookies along with any non-encrypted HTTP requests to your domain whether or not your domain listens to request or responds to it.
You might not expect your user to workaround HSTS and make a non-HTTPS request once they've visited your website and received a cookie, but they might do it anyway for various reasons including, but not limited to, an attacker who is trying to hijack their session manipulating them into doing so.
Upvotes: 1
Related Questions
- How can I set the Secure flag on an ASP.NET Session Cookie?
- Add Secure and httpOnly Flags to Every Set-Cookie Response in Apache httpd
- How to set a Secure and HTTP Flag on a Cookie only when it doesnt have one? ( .htaccess )
- js-cookie not setting cookies when secure flag is enabled
- Secure Cookies on http requests
- HTTPS - Cookie "HttpOnly" and "secure "
- How does cookie "Secure" flag work?
- Session Cookie secure/httponly
- Is cookie in https secure?
- Cookies set secureflag to true