This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
Troubleshooting
Articles about how to solve the most common problems
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Article

Secure Flag on Cookies - Understanding Findings from Third‑Party Security Assessments

LucaGalliani
Dynatrace Contributor
Dynatrace Contributor

on ‎30 Jan 2026 11:44 AM

Customers often contact us after receiving security reports from third‑party assessments or penetration tests indicating missing Secure attributes on certain cookies.
This may raise questions about whether the flag should be enabled, whether it is safe, or whether it can be configured by default across your Dynatrace environment.

In Dynatrace, the current behavior is by design:
The Secure attribute is enabled when technically safe across all HTTPS‑based communication.
Where it is not yet enforced by default, Dynatrace gradually aligns these cases with modern security best practices.
When needed, customers can enable the Secure flag according to the official documentation:
👉https://docs.dynatrace.com/docs/shortlink/cookies#secure-cookies

Enabling the Secure flag is fully supported and recommended in any environment served exclusively over HTTPS. It can also help resolve scanner findings and is supported and recommended if the monitored application is served via HTTPS.

Frequently Asked Questions

Why do scanners report this as a vulnerability?
Most security tools follow strict baseline rules (e.g., OWASP). Even if your application already uses HTTPS, scanners will still flag any cookie missing the Secure attribute because they cannot detect context.

Is enabling the Secure flag supported by Dynatrace?
Yes. Dynatrace fully supports enabling the Secure flag for its cookies in HTTPS environments.

Will enabling the Secure flag break anything?
No. Since Dynatrace traffic is already HTTPS‑based, setting the flag to Secure = Yes does not change behavior, compatibility, or data collection.

Can we enable the Secure flag in bulk?
Bulk configuration is not currently available on cookie‑level attributes.
Dynatrace applies secure defaults progressively and allows enabling Secure where applicable through configuration.

Can we change the system‑wide default to “Secure = Yes”?
Not globally.
Defaults are applied only where technically safe and aligned with existing architecture.
Remaining cases are being aligned over time.

Is it safe to enable the Secure flag if everything runs over HTTPS?
Absolutely.
If your environment is HTTPS‑only, enabling the Secure flag is the expected secure configuration and resolves most scanner findings.

Need more help?

If you need assistance interpreting your security report or configuring the Secure flag in your environment, feel free to open a ticket with Dynatrace Technical Support — we’ll be happy to help.

Version history
Last update:
‎29 Jan 2026 02:45 PM
Updated by:
Dynatrace Contributor