Open hannob opened 8 months ago
The Observatory gives a penalty for cookies without the secure flag.
However it'll give less penalty if the site uses HSTS. The explanation is:
Session cookie set without the Secure flag, but transmission over HTTP prevented by HSTS
This is misleading. It is possible to have setups where a cookie is sent over HSTS, but can still be transmitted in plain text.
I have setup a simple example:
I think it is problematic to imply that HSTS would make the cookie secure flag unnecessary.
( https://bugzilla.mozilla.org/show_bug.cgi?id=1870262 is also related.)
The Observatory gives a penalty for cookies without the secure flag.
However it'll give less penalty if the site uses HSTS. The explanation is:
Session cookie set without the Secure flag, but transmission over HTTP prevented by HSTS
This is misleading. It is possible to have setups where a cookie is sent over HSTS, but can still be transmitted in plain text.
I have setup a simple example:
I think it is problematic to imply that HSTS would make the cookie secure flag unnecessary.
( https://bugzilla.mozilla.org/show_bug.cgi?id=1870262 is also related.)