SSL/TLS: Missing `secure` Cookie Attribute

Running latest docker build. Our security audit reported below


The host is running a server with SSL/TLS and is prone to information disclosure vulnerability.

Detection Result

The cookies: Set-Cookie: PHPSESSID=replaced; path=/; HttpOnly; SameSite=Lax are missing the “secure” attribute.


The flaw is due to cookie is not using ‘secure’ attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks.

Detection Method

Details: SSL/TLS: Missing secure Cookie Attribute OID:

Affected Software/OS

Server with SSL/TLS.



Solution Type:


Set the ‘secure’ attribute for any cookies that are sent over a SSL/TLS connection.

Any way to fix this issue?


You can add CMS_PHP_COOKIE_SECURE=On to your config.env file to turn this on.

Having this on by default is not something we can advocate as our containers don’t provide SSL (it is not practical to do so).

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.

The Xibo Community site uses cookies. What are cookies?