From f212d2d53f7721e7c3fe991f3eebcac3a23c75f8 Mon Sep 17 00:00:00 2001
From: David Jetelina <david@djetelina.cz>
Date: Tue, 22 May 2018 16:38:04 +0200
Subject: [PATCH] Session cookie secure by default

---
 docs/config.rst | 2 +-
 flask/app.py    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/config.rst b/docs/config.rst
index c2958bf7..a4f972cb 100644
--- a/docs/config.rst
+++ b/docs/config.rst
@@ -206,7 +206,7 @@ The following configuration values are used internally by Flask:
     marked "secure". The application must be served over HTTPS for this to make
     sense.
 
-    Default: ``False``
+    Default: ``True``
 
 .. py:data:: SESSION_COOKIE_SAMESITE
 
diff --git a/flask/app.py b/flask/app.py
index 87c59003..7bd2a7ac 100644
--- a/flask/app.py
+++ b/flask/app.py
@@ -293,7 +293,7 @@ class Flask(_PackageBoundObject):
         'SESSION_COOKIE_DOMAIN':                None,
         'SESSION_COOKIE_PATH':                  None,
         'SESSION_COOKIE_HTTPONLY':              True,
-        'SESSION_COOKIE_SECURE':                False,
+        'SESSION_COOKIE_SECURE':                True,
         'SESSION_COOKIE_SAMESITE':              None,
         'SESSION_REFRESH_EACH_REQUEST':         True,
         'MAX_CONTENT_LENGTH':                   None,