Audit required: Cookie is transmitted over an insecure connection CS-A1009

Setting Secure to false means that the cookie is allowed to be transmitted over an insecure connection. It is always recommended that you send and receive information only via a secure line.

Bad Practice

cookie.Secure = false;

Recommended

cookie.Secure = true;

Reference

• HttpCookie.Secure
• A04:2021: Insecure Design
• A05:2021: Security Misconfiguration
• CWE-311: Missing Encryption of Sensitive Data
• CWE-315: Cleartext Storage of Sensitive Information in a Cookie
• CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute