Will It Vibe logoWill It Vibe?
EXPRESS-019Medium severity-8 points

Session cookie with secure disabled

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A session cookie is configured with secure: false, so it is sent over plain HTTP and can be captured on the wire.

Why it matters

A session cookie with secure: false is sent over plain HTTP, so anyone on the network path can read the session identifier and hijack the session. It also means the cookie is exposed on any accidental http:// request during redirects. Session cookies should only travel over HTTPS.

How to fix it

Set secure: true on the session cookie in production so it is only sent over HTTPS, and pair it with httpOnly: true and a sameSite value. If you need plain HTTP for local development, gate secure on NODE_ENV rather than hardcoding false. Make sure the app is actually served over HTTPS (or behind a TLS-terminating proxy with trust proxy set) so the cookie is issued.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks