Is there any point in setting the secure cookie flag for HSTS websites?

Yes, you should still mark your cookies as secure, for three reasons:

  • You dont want them to be exposed just because of a server configuration mishap. What if you move your application to a server with a different configuration?

  • HSTS is trust on first use. If your HSTS has expired but your cookies has not, the browser may send them unencrypted. Whether or not there is something responding to plain HTTP is irrelevant here.

  • As Tgr writes, not all browsers support HSTS.

I admit that the benefits aren't huge here, but the cost is basically zero. So set the secure flag!


Not all browsers honor HSTS. IE mobile doesn't, for example; desktop IE only does since version 11; cloud-based browsers like Opera Mini don't. Marking your cookies as secure is trivial and good defense in depth.