---
title: Set Secure Flag On Session Cookies
impact: HIGH
impactDescription: prevents cookie theft over unencrypted connections
tags: cookies, secure, https, session, security
---

## Set Secure Flag On Session Cookies

Without the Secure flag, cookies can be sent over unencrypted HTTP connections.

**Incorrect (no Secure flag):**

```go
cookie := &http.Cookie{
    Name:  "session",
    Value: token,
}
http.SetCookie(w, cookie) // No Secure flag!
```

**Correct (Secure flag set):**

```go
cookie := &http.Cookie{
    Name:     "session",
    Value:    token,
    Secure:   true,     // HTTPS only
    HttpOnly: true,
    SameSite: http.SameSiteStrictMode,
}
http.SetCookie(w, cookie)
```

**Production enforcement:**

```go
isProduction := os.Getenv("ENV") == "production"

cookie := &http.Cookie{
    Name:     "session",
    Value:    token,
    Secure:   isProduction,
    HttpOnly: true,
}
```

**Tools:** `http.Cookie`, Security headers Audit
