Set secure flag on all cookies

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

The cookie 'payload' that I received was: 31d0051f82cb15f205e311d665237ae8; path=/; expires=Sun, 23-Oct-2016 00:25:31 GMT; HttpOnly

see: https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

This currently is based on the rails setting of force_ssl. It also turns on hsts - which we do not want for self signed certs.

After upgrading to rails5 we will be able to enforce secure cookies without enforcing hsts.

(from redmine: created on 2016-10-24)

• Relations:
  • blocks #8584