--- title: Ensure cookies have the secure flag set description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST Rules > Ensure cookies have the secure flag set --- # Ensure cookies have the secure flag set {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **ID:** `php-security/cookie-secure-flag` **Language:** PHP **Severity:** Error **Category:** Security **CWE**: [614](https://cwe.mitre.org/data/definitions/614.html) ## Description{% #description %} The secure flag is a part of the `setcookie` function in PHP that dictates that the cookie should only be sent to the server with an encrypted request over the HTTPS protocol. Using this flag helps protect sensitive cookie data from being exposed over insecure connections, reducing the risk of data theft or tampering. Cookies often contain sensitive information, and transmitting them securely is a fundamental part of web application security. To ensure compliance with this rule, always set the secure flag to true when using the `setcookie` or `session_set_cookie_params` functions in PHP. For example, `setcookie($name, $value, $expire, $path, $domain, true);` or `session_set_cookie_params($lifetime, $path, $domain, true);`. By doing this, you can significantly enhance the security of your PHP applications. ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```php