ESAPI optionally sets 'secure' flag if it was previously set for that cookie of if the ESAPI configuration setting is set to force the 'secure' flag.
File - DefaultHTTPUtilities.java - lines 202 and 203
https://lgtm.com/projects/g/ESAPI/esapi-java-legacy/snapshot/90e6840a808072b84971d6a0420c32cb4cc1b3a7/files/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java?sort=name&dir=ASC&mode=heatmap#x380ba0072f375958:1
Line 202 of this file sets the secure flag if the 'secure' flag for that cookie was previously set or if the developer using ESAPI has the property "HttpUtilities.ForceSecureCookies" set to "true" in their ESAPI.properties file. Because ESAPI is an SDK, that is a security library, we cannot force developers to use the 'secure' flag without potentially breaking code. (However, the default setting for 'HttpUtiliteis.ForceSecureCookies" is set to 'true' in the default ESAPI.properties configuration file.)
ESAPI optionally sets 'secure' flag if it was previously set for that cookie of if the ESAPI configuration setting is set to force the 'secure' flag.
File - DefaultHTTPUtilities.java - lines 202 and 203
https://lgtm.com/projects/g/ESAPI/esapi-java-legacy/snapshot/90e6840a808072b84971d6a0420c32cb4cc1b3a7/files/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java?sort=name&dir=ASC&mode=heatmap#x380ba0072f375958:1
Line 202 of this file sets the secure flag if the 'secure' flag for that cookie was previously set or if the developer using ESAPI has the property "HttpUtilities.ForceSecureCookies" set to "true" in their ESAPI.properties file. Because ESAPI is an SDK, that is a security library, we cannot force developers to use the 'secure' flag without potentially breaking code. (However, the default setting for 'HttpUtiliteis.ForceSecureCookies" is set to 'true' in the default ESAPI.properties configuration file.)