Is there any point in setting the secure cookie flag for HSTS websites?

Yes, you should still mark your cookies as secure, for three reasons:

  • You dont want them to be exposed just because of a server configuration mishap. What if you move your application to a server with a different configuration?

  • HSTS is trust on first use. If your HSTS has expired but your cookies has not, the browser may send them unencrypted. Whether or not there is something responding to plain HTTP is irrelevant here.

  • As Tgr writes, not all browsers support HSTS.

I admit that the benefits aren't huge here, but the cost is basically zero. So set the secure flag!


Not all browsers honor HSTS. IE mobile doesn't, for example; desktop IE only does since version 11; cloud-based browsers like Opera Mini don't. Marking your cookies as secure is trivial and good defense in depth.

Tags:

Http

Cookies

Tls

Session Management

Related

What is the best protocol for an organisation to make phone calls to clients, where the client is required to verify their identity? Why are two CSRF tokens (hidden field and cookie) necessary to mitigate CSRF attacks? What's the point in hashing phone numbers? Why is Math.random() not designed to be cryptographically secure? Create backup Yubikey with identical PGP keys How do you prevent sending cookie data over HTTP the first time? Is it safe to check password against the HIBP Pwned Passwords API during account registration? Did I just get DNS Hijacked? JWT or public-private keys for service to service API calls Why add username to salt before hashing a password? How to verify PGP signature with signing key Accessing multiple sites via HTTPS produces different, unrelated content (Peugeot club via HTTPS)

Recent Posts