CWE-614: Sensitive Cookie Without Secure Flag

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that session or authentication cookies were set without the Secure attribute despite HTTPS being available. Evidence includes Set-Cookie headers in HTTPS responses missing the Secure flag, allowing cookies to potentially be transmitted over insecure HTTP connections. Analysis of response headers shows cookies accessible over unencrypted channels.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-614 typically indicate that cookies containing sensitive data were set without the Secure attribute, such as:

• Set-Cookie headers missing the Secure flag
• Session or authentication cookies sent over HTTP
• Cookies that remain usable when accessed via unencrypted connections

Evidence is based on observed response headers and runtime behavior, not on request parameters or payloads.

Mapping DAST Findings to Source Code

CWE-614 does not map to a specific request parameter or endpoint. The issue resides in how cookies are configured and set by the application or framework.

When tracing this issue in code, review:

• Session or authentication cookie configuration
• Framework defaults for cookie security attributes
• Environment-specific settings that disable Secure flags
• Middleware responsible for setting cookies

Remediation

Core Principle: Never allow sensitive cookies to be transmitted over unencrypted connections; cookie confidentiality must be enforced by the transport and server configuration, not by client behavior.

→ For comprehensive remediation guidance, see Static CWE-614 Guidance

Language-Specific Guidance

The static guidance provides detailed remediation steps for many languages. If you need language-specific examples:

• Java
• JavaScript/Node.js
• Python

Verification and Follow-Up Testing

After applying the fix:

1. Verify Cookie Attributes

• Confirm sensitive cookies include the Secure attribute
• Ensure cookies are not transmitted over HTTP

2. Test Edge Cases

• Authentication and session establishment flows
• Redirects between HTTP and HTTPS
• Environment-specific configurations

Re-run DAST Scanner

Re-run the dynamic scanner to confirm cookies are no longer set without the Secure flag.

Additional Resources

• CWE-614: Sensitive Cookie Without Secure Flag
• OWASP Session Management
• OWASP Top 10 2025
• OWASP Top 10 2025 A02: Security Misconfiguration
• PortSwigger Cookie Security