When a cookie is protected with the secure attribute set to true it will not be send by the browser over an unencrypted HTTP request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.

Ask Yourself Whether

You are at risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Sensitive Code Examples

http.cookies

import http.cookies

cookie = http.cookies.SimpleCookie()
cookie['key'] = 'value'
cookie['key']['secure'] = False # Sensitive

Flask

from flask import Response

@app.route('/')
def index():
    response = Response()
    response.set_cookie('key', 'value') # Sensitive
    return response

Compliant Solution

http.cookies

import http.cookies

cookie = http.cookies.SimpleCookie()
cookie['key'] = 'value'
cookie['key']['secure'] = True # Compliant

Flask

from flask import Response

@app.route('/')
def index():
    response = Response()
    response.set_cookie('key', 'value', secure=True) # Compliant
    return response

See