Set the Secure Cookie Flag to Ensure Cookies are Only Sent Over Secure Connections

Mike Sherov
InstructorMike Sherov
Share this video with your friends

Social Share Links

Send Tweet
Published 4 years ago
Updated 3 years ago

In this lesson, we'll will learn how to set the secure flag on our session id cookie to ensure it is only transmitted over https connections. This will effectively mitigate the Session Hijacking vulnerability we introduced in the previous lesson.

Instructor: [0:00] We've set up our site to serve traffic over https, and to redirect from http to https. The problem now is, we do this, we see that we're still submitting the cookie over http. The reason this is is that cookies are set by default to send over both https and http. Luckily, there's a property of cookies called secure. If we pass secure when we set our cookie, it will only send over https.

[0:27] To do this in Express, we go down to our cookie settings for our session cookie and enter in secure true. Hitting save will cause our server to reload, and we'll go ahead and, in our browser, clear our cookies completely, and go back to the network tab. Now, refresh the page. We can see that the response from the server, when it sets the cookie, now includes secure as part of the site cookie command.

[1:06] Regardless of how you accomplish this, whether using Express or any other framework, the important bit is that the site cookie header must have the secure property set on it. If we now once again enter in a http URL, we'll see that the http request no longer passes the cookie in the request headers. We now have a site that will redirect from http to https, but will no longer send cookies on http.

~ 14 minutes ago

Member comments are a way for members to communicate, interact, and ask questions about a lesson.

The instructor or someone from the community might respond to your question Here are a few basic guidelines to commenting on

Be on-Topic

Comments are for discussing a lesson. If you're having a general issue with the website functionality, please contact us at

Avoid meta-discussion

  • This was great!
  • This was horrible!
  • I didn't like this because it didn't match my skill level.
  • +1 It will likely be deleted as spam.

Code Problems?

Should be accompanied by code! Codesandbox or Stackblitz provide a way to share code and discuss it in context

Details and Context

Vague question? Vague answer. Any details and context you can provide will lure more interesting answers!

Markdown supported.
Become a member to join the discussionEnroll Today