Session cookie secure by default

7 years ago · f212d2d53f
2 changed files with 2 additions and 2 deletions
--- a/docs/config.rst
+++ b/docs/config.rst
@ -206,7 +206,7 @@ The following configuration values are used internally by Flask:
    marked "secure". The application must be served over HTTPS for this to make
    sense.

-    Default: ``False``
+    Default: ``True``

 .. py:data:: SESSION_COOKIE_SAMESITE

--- a/flask/app.py
+++ b/flask/app.py
@ -293,7 +293,7 @@ class Flask(_PackageBoundObject):
        'SESSION_COOKIE_DOMAIN':                None,
        'SESSION_COOKIE_PATH':                  None,
        'SESSION_COOKIE_HTTPONLY':              True,
-        'SESSION_COOKIE_SECURE':                False,
+        'SESSION_COOKIE_SECURE':                True,
        'SESSION_COOKIE_SAMESITE':              None,
        'SESSION_REFRESH_EACH_REQUEST':         True,
        'MAX_CONTENT_LENGTH':                   None,