Feature Value
Type Detection / Protection
Risk -
Covered by Agent

Even if the application is using HTTPS, it is not setting secure flag on cookies which may lead to data exposure.

When HTTP protocol is used, the traffic is sent in plaintext. It allows the attacker to see/modify the traffic (man-in-the-middle attack). HTTPS is a secure version of HTTP – it uses SSL/TLS to protect the data of the application layer. When HTTPS is used, the following properties are achieved: authentication, data integrity, confidentiality. How are HTTP and HTTPS related to a cookie secure flag?

Let’s consider the case of an authentication cookie. Stealing this cookie is equivalent to impersonating the user. When HTTP is used, the cookie is sent in plaintext. This is perfect for the attacker eavesdropping on the communication channel between the browser and the server – he can grab the cookie and impersonate the user.

Now let’s assume that HTTPS is used instead of HTTP. HTTPS provides confidentiality, so the attacker can’t see the cookie. The conclusion is to send the authentication cookie over a secure channel so that it can’t be eavesdropped. The question that might appear at this moment is: why do we need a secure flag if we can use HTTPS?

Let’s consider the following scenario to answer this question. The site is available over HTTP and HTTPS. Moreover, let’s assume that there is an attacker in the middle of the communication channel between the browser and the server. The cookie sent over HTTPS can’t be eavesdropped. However, the attacker can take advantage of the fact that the site is also available over HTTP. The attacker can send the link to the HTTP version of the site to the user. The user clicks the link and the HTTP request is generated. Since HTTP traffic is sent in plaintext, the attacker eavesdrops on the communication channel and reads the authentication cookie of the user. Can we allow this cookie to be sent only over HTTPS? If this was possible, we would prevent the attacker from reading the authentication cookie in our story. It turns out that it is possible, and a secure flag is used exactly for this purpose – the cookie with a secure flag will only be sent over an HTTPS connection.

More information

How to solve it

Activate security on cookies.

Cookie cookie = new Cookie("foo", "bar"); // Create cookie
cookie.setSecure(true);                   // Secure cookie