What the issue means
A cookie without Secure may be sent over HTTP if the site or subresource is accessed without HTTPS.
Security fix guide
How to Fix a Missing Secure Cookie Flag
A cookie without Secure may be sent over HTTP if the site or subresource is accessed without HTTPS.
Run Full Website Security ScanWhy it matters
Secure helps ensure sensitive cookies are only sent over encrypted HTTPS connections.
How to check it
Inspect Set-Cookie headers and verify sensitive cookies include Secure.
How to fix it
Serve the site over HTTPS and set Secure on authentication and session cookies.
Configuration examples
Nginx
Prefer application code; proxy_cookie_flags can add Secure in reverse proxy setups.Apache
Prefer application code; Header edit Set-Cookie can help in some legacy configurations.Vercel / Next.js
cookies().set("session", value, { secure: true, httpOnly: true, sameSite: "lax" });Cloudflare
Enable HTTPS and use application-level Secure cookie flags.