article Secure Flag on Cookies - Understanding Findings from Third‑Party Security Assessments in Troubleshooting https://community.dynatrace.com/t5/Troubleshooting/Secure-Flag-on-Cookies-Understanding-Findings-from-Third-Party/ta-p/293858 <DIV class="lia-message-template-content-zone"> <P>Customers often contact us after receiving <STRONG>security reports from third‑party assessments or penetration tests</STRONG> indicating missing <EM>Secure</EM> attributes on certain cookies.<BR />This may raise questions about whether the flag should be <STRONG>enabled</STRONG>, whether it is safe, or whether it can be configured by default across your Dynatrace environment.</P> <P>In Dynatrace, the current behavior is <STRONG>by design</STRONG>:<BR />The Secure attribute is enabled when technically safe across all HTTPS‑based communication.<BR />Where it is not yet enforced by default, Dynatrace gradually aligns these cases with modern security best practices.<BR />When needed, customers can enable the Secure flag according to the official documentation:<BR /><span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span><A href="https://docs.dynatrace.com/docs/shortlink/cookies#secure-cookies" target="_blank" rel="noopener">https://docs.dynatrace.com/docs/shortlink/cookies#secure-cookies</A></P> <P>Enabling the Secure flag is fully supported and recommended in any environment served exclusively over HTTPS. It can also help resolve scanner findings and is supported and recommended if the monitored application is served via HTTPS.</P> <DIV> <H2><STRONG>Frequently Asked Questions</STRONG></H2> <P><STRONG>Why do scanners report this as a vulnerability?</STRONG><BR />Most security tools follow strict baseline rules (e.g., OWASP). Even if your application already uses HTTPS, scanners will still flag any cookie missing the Secure attribute because they cannot detect context.</P> <P><STRONG>Is enabling the Secure flag supported by Dynatrace?</STRONG><BR />Yes. Dynatrace fully supports enabling the Secure flag for its cookies in HTTPS environments.</P> <P><STRONG>Will enabling the Secure flag break anything?</STRONG><BR />No. Since Dynatrace traffic is already HTTPS‑based, setting the flag to <EM>Secure = Yes</EM> does not change behavior, compatibility, or data collection.</P> <P><STRONG>Can we enable the Secure flag in bulk?</STRONG><BR />Bulk configuration is not currently available on cookie‑level attributes.<BR />Dynatrace applies secure defaults progressively and allows enabling Secure where applicable through configuration.</P> <P><STRONG>Can we change the system‑wide default to “Secure = Yes”?</STRONG><BR />Not globally.<BR />Defaults are applied only where technically safe and aligned with existing architecture.<BR />Remaining cases are being aligned over time.</P> <P><STRONG>Is it safe to enable the Secure flag if everything runs over HTTPS?</STRONG><BR />Absolutely.<BR />If your environment is HTTPS‑only, enabling the Secure flag is the expected secure configuration and resolves most scanner findings.</P> <H2><STRONG>Need more help?</STRONG></H2> <P>If you need assistance interpreting your security report or configuring the Secure flag in your environment, feel free to open a ticket with <STRONG>Dynatrace Technical Support</STRONG> — we’ll be happy to help.</P> </DIV> </DIV> Fri, 30 Jan 2026 11:44:58 GMT LucaGalliani 2026-01-30T11:44:58Z Secure Flag on Cookies - Understanding Findings from Third‑Party Security Assessments https://community.dynatrace.com/t5/Troubleshooting/Secure-Flag-on-Cookies-Understanding-Findings-from-Third-Party/ta-p/293858 <DIV class="lia-message-template-content-zone"> <P>Customers often contact us after receiving <STRONG>security reports from third‑party assessments or penetration tests</STRONG> indicating missing <EM>Secure</EM> attributes on certain cookies.<BR />This may raise questions about whether the flag should be <STRONG>enabled</STRONG>, whether it is safe, or whether it can be configured by default across your Dynatrace environment.</P> <P>In Dynatrace, the current behavior is <STRONG>by design</STRONG>:<BR />The Secure attribute is enabled when technically safe across all HTTPS‑based communication.<BR />Where it is not yet enforced by default, Dynatrace gradually aligns these cases with modern security best practices.<BR />When needed, customers can enable the Secure flag according to the official documentation:<BR /><span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span><A href="https://docs.dynatrace.com/docs/shortlink/cookies#secure-cookies" target="_blank" rel="noopener">https://docs.dynatrace.com/docs/shortlink/cookies#secure-cookies</A></P> <P>Enabling the Secure flag is fully supported and recommended in any environment served exclusively over HTTPS. It can also help resolve scanner findings and is supported and recommended if the monitored application is served via HTTPS.</P> <DIV> <H2><STRONG>Frequently Asked Questions</STRONG></H2> <P><STRONG>Why do scanners report this as a vulnerability?</STRONG><BR />Most security tools follow strict baseline rules (e.g., OWASP). Even if your application already uses HTTPS, scanners will still flag any cookie missing the Secure attribute because they cannot detect context.</P> <P><STRONG>Is enabling the Secure flag supported by Dynatrace?</STRONG><BR />Yes. Dynatrace fully supports enabling the Secure flag for its cookies in HTTPS environments.</P> <P><STRONG>Will enabling the Secure flag break anything?</STRONG><BR />No. Since Dynatrace traffic is already HTTPS‑based, setting the flag to <EM>Secure = Yes</EM> does not change behavior, compatibility, or data collection.</P> <P><STRONG>Can we enable the Secure flag in bulk?</STRONG><BR />Bulk configuration is not currently available on cookie‑level attributes.<BR />Dynatrace applies secure defaults progressively and allows enabling Secure where applicable through configuration.</P> <P><STRONG>Can we change the system‑wide default to “Secure = Yes”?</STRONG><BR />Not globally.<BR />Defaults are applied only where technically safe and aligned with existing architecture.<BR />Remaining cases are being aligned over time.</P> <P><STRONG>Is it safe to enable the Secure flag if everything runs over HTTPS?</STRONG><BR />Absolutely.<BR />If your environment is HTTPS‑only, enabling the Secure flag is the expected secure configuration and resolves most scanner findings.</P> <H2><STRONG>Need more help?</STRONG></H2> <P>If you need assistance interpreting your security report or configuring the Secure flag in your environment, feel free to open a ticket with <STRONG>Dynatrace Technical Support</STRONG> — we’ll be happy to help.</P> </DIV> </DIV> Fri, 30 Jan 2026 11:44:58 GMT https://community.dynatrace.com/t5/Troubleshooting/Secure-Flag-on-Cookies-Understanding-Findings-from-Third-Party/ta-p/293858 LucaGalliani 2026-01-30T11:44:58Z