How can I check that my cookies are only sent over encrypted https and not http?

How can I check that my cookies are only sent over encrypted https and not http? 

 

The cookies secure flag looks like this:

secure;

That‘s it.
This should appear at the end of the Http header:  出现在HttpResponse的Header里面

Set-Cookie: mycookie=somevalue; path=/securesite/; Expires=12/12/2010; secure; httpOnly;

Of course, to check it, simply plug in any proxy or sniffer (I use the excellent Fiddler) and watch...

*Bonus: I also threw in there the httpOnly attribute, protects against cookie access from Javascript space, e.g. via XSS.

 

下面的demo

HTTP/1.1 302 Found
Cache-Control: private,no-cache,no-store
Content-Type: text/html; charset=utf-8
Location: /UK_60_Dev_Admin/Edenred/Home
Server: Microsoft-IIS/10.0
Set-Cookie: AdminSession=hg3heuwrkvjbs33splammvam; path=/; secure; HttpOnly; SameSite=Lax
Set-Cookie: AdminSite=AFE9723AD316A7B77211552AE4E7913717B1FBA4C87DD997FD23950625C98F643F6A2F486247F893E9C8057CF047DF2D2CE47DEFD8B1EB5DFB676E02B00CFA3B3BE17FC0386F10576BB80B03B5F9CD737DBF37D52599BB80F9072E506DF8357E86807C4321094A81009B49F5C1AB0DF0F24360BAE10713A83E3C40EAD5FECCEB4C814FEC394C4EF4F386C849885A51F14A1D3A16D1E444F429D249BF1DBD457745C17BF0A70DAA47230FDA836CE8D55A5F915AA6B0CA17C5693CB79D89B3C12FF0E8D652EE12739BA1D15D4333641F8115676C84DEC2A83F326A199F69D2EAD08FE6BB8ACEF0BB917FCB938E5AB2B3DFBCE2B60C6AD0E019FD7A036E2CF9FDD4A5DCC69746BD602738BF7AE5657D1CE3AAE6E63C1BE23B0C905DB779; path=/; secure; HttpOnly
X-Powered-By: ASP.NET
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Date: Tue, 07 Sep 2021 03:38:06 GMT
Content-Length: 146

 

How can I check that my cookies are only sent over encrypted https and not http?

上一篇:HttpOnly


下一篇:Vue的路由及静态路由和动态路由的区别