---
title: Use Secure Cookie Flag
impact: MEDIUM
impactDescription: prevents cookies from being sent over insecure connections
tags: security, cookies, tls, ssl
---

## Use Secure Cookie Flag

Set the `secure` flag on all session and sensitive cookies to ensure they are only transmitted over HTTPS.

**Incorrect (non-secure cookie):**

```ruby
# config/initializers/session_store.rb
Rails.application.config.session_store :cookie_store, key: '_app_session', secure: false
```

**Correct (secure cookie):**

```ruby
# Force SSL in production will set secure: true by default
Rails.application.config.session_store :cookie_store, key: '_app_session', secure: true
```

**Tools:** Brakeman, Mozilla Observatory
---