👀 Views: 82 💬 Answers: 1 📅 Created: 2025-06-07

flask security cookies Python

I'm currently working on a Flask application and trying to implement secure cookie handling. I want to ensure that my session cookies are set with the `Secure` and `HttpOnly` flags to prevent potential attacks. However, despite setting these flags in my cookie configuration, I'm noticing that the `Secure` flag is not being applied correctly when I check it in the browser's developer tools. Here's the relevant part of my code: ```python from flask import Flask, session app = Flask(__name__) app.secret_key = 'your_secret_key' @app.route('/login', methods=['POST']) def login(): session['user'] = 'username' # Attempt to set cookies with Secure and HttpOnly flags response = make_response(redirect('/')) response.set_cookie('session', session.sid, secure=True, httponly=True) return response ``` I’ve also ensured that my application is being served over HTTPS. When I check the cookies in my browser after logging in, I see that the `HttpOnly` flag is set correctly, but the `Secure` flag is missing. I verified that the application is indeed running on HTTPS and my Flask app is correctly configured. I tried different browsers to verify if it’s a browser-specific scenario, but the question continues. Is there something I might be missing in my cookie configuration, or is there a known scenario with Flask in certain versions? I'm currently using Flask version 2.0.1. Any insights would be greatly appreciated!