You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Nov 4, 2024. It is now read-only.
The Observatory gives a penalty for cookies without the secure flag.
However it'll give less penalty if the site uses HSTS. The explanation is:
Session cookie set without the Secure flag, but transmission over HTTP prevented by HSTS
This is misleading. It is possible to have setups where a cookie is sent over HSTS, but can still be transmitted in plain text.
I have setup a simple example:
I think it is problematic to imply that HSTS would make the cookie secure flag unnecessary.
( https://bugzilla.mozilla.org/show_bug.cgi?id=1870262 is also related.)