robert-cahoon
commented
7 years ago Setting the secure flag on a cookie doesn't, in and of itself, result in it being encrypted. The secure flag is read by the browser when it is constructing its header. Secure cookies are only included int he headers when using an encrypted connection, i.e. https. If the connection is not encrypted, the browser will not send secure cookies. So the secure flag doesn't encrypt the cookie, it just ensures that it will only ever be sent if the connection is encrypted. subtle but important difference.
Hi @salemdar
I have a question. I'm using angular2-cookie in my application and I want to make my cookies secure, or preferably, encrypted, so the data in the cookie is not sent as plaintext. I'm noticing if I use the secure = true property, the cookie doesn't seem secure. It's still sent as plaintext. Is this the expected behavior for the cookie? If so, why? and how can I make the cookie more secure in this case via encryption or alternative method? Can I also set HttpOnly?