Cookies / sessions · Check
Session cookie missing Secure — fixing token leakage on plaintext hops
Session cookies without the Secure attribute may be sent over unencrypted requests (mixed content, redirect chains, dev tooling). Once a session token leaves TLS, it's effectively public.
Real-world risk
Session cookies may be sent over HTTP links or mixed content, enabling session theft on the wire.
Fix steps (in order)
- Set Set-Cookie with the Secure attribute for session cookies.
- Example: Set-Cookie: sid=…; Path=/; HttpOnly; Secure; SameSite=Lax
Topic explainer
CORS explained: how cross-origin requests actually work →
A practical explainer of CORS — same-origin policy, preflight requests, the headers that matter, and the configurations that quietly break security.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (session_cookie_missing_secure) clears once the externally-observable signal is in place.