TestMu AI (Formerly LambdaTest)/Kane CLI Cookbook/Catch a cookie missing the Secure flag
COOKIES5 MIN READ

Catch a cookie missing the Secure flag

Fail the moment any cookie is set without the Secure flag, so a session token can never travel over plain HTTP.

The problem

A cookie set without the Secure flag will ride along on an unencrypted HTTP request, which is all an attacker on the same network needs to read a session token straight off the wire. It creeps in quietly, from a misconfigured backend, a third party widget, or a debug toggle that shipped. Every page renders perfectly and every functional test passes, because the flag lives in the cookie metadata, not anywhere a screenshot or a click can reach. The gap surfaces in a security review months later, or worse, in an incident.

The idea

The Secure flag is the cookie promising it will only travel on an encrypted connection. This walks every cookie and makes sure not one of them forgot to say it.

What you will catch

  • A session or auth cookie set without the Secure flag
  • A third party cookie that quietly weakens your security posture
  • A finding a penetration test would flag, caught before it ships

How it works

Kane CLI reads each cookie's attributes at the protocol level rather than from document.cookie, so it inspects the Secure flag on every cookie, including the HttpOnly ones a page script can never see. You assert in plain English that none of them are missing it.

Run it now

kane-cli --tui
# then paste this objective:
Go to https://github.com and let it load.
Assert: no cookie is set without the Secure flag.

Or one line, for CI or sharing

kane-cli run "Go to https://github.com and let it load.
Assert: no cookie is set without the Secure flag." --agent

What prints

Example run. Your numbers will vary by site, build and run. The PASS / FAIL and the zeros are the stable result, the raw timings and counts are illustrative.

▶ navigate + read cookies                      ok
▶ assert no cookie without Secure   0 found    ✓ PASS

RESULT  PASS   exit 0   ~50s   ~7 to 13 credits

Adapt it to your app

Go to <your app> and complete <a flow that sets your cookies>.
Assert: no cookie is set without the Secure flag.

Why it works

The check reads cookie attributes from the protocol layer, so it sees the Secure flag on every cookie the site sets, not just the ones JavaScript can read. A single cookie missing Secure is one downgrade away from leaking, which is exactly the gap this closes.

What it unlocks

A one line security gate. Wire it into CI and a cookie that ships without Secure fails the build, instead of waiting to be found in a penetration test.

More Use Cases

CONSOLE

Catch the bug a screenshot misses

Your visual test is green and the page still loaded broken. This catches the server error and the thrown error the camera cannot see.

Learn more
PERFORMANCE

X-ray any page

Point Kane CLI at any URL and get back every number your DevTools would show you, in one structured result.

Learn more
COOKIES

See the cookie your test scripts are blind to

Assert an HttpOnly session cookie exists, the secure cookie that document.cookie and most test tools cannot read.

Learn more
NETWORK

Check the response, not just the status

Assert the endpoint returned the right shape, an array with items or a field with a value, not merely a 200.

Learn more
NETWORK

Catch the API failure behind a green page

Assert the real network result, a 200 where it matters and no 5xx anywhere, even when the page looks perfect.

Learn more
CONSOLE

Catch the error that only fires on a click

Find the error that a page load check never sees because it only happens when the user acts.

Learn more
NETWORK

Catch an environment leak before it ships

Fail a production build that quietly calls staging, localhost or a debug endpoint.

Learn more
LOCAL STORAGE

Keep secrets out of local storage

Assert that no obviously sensitive value, a password, a card number, raw personal data, is sitting in storage any script could read.

Learn more
GENERATE

Describe what to test, get the test cases

Say what you want to test in one sentence and Kane CLI generates the scenarios and the Positive, Negative and Edge cases, no browser, no writing them by hand.

Learn more
GENERATE

Reuse what you already have with memory

Turn on the memory layer and generation reuses your relevant existing cases and avoids drafting duplicates of coverage you already wrote.

Learn more

TestMu AI forEnterprise

Get access to solutions built on Enterprise
grade security, privacy, & compliance

  • Advanced access controls
  • Advanced data retention rules
  • Advanced Local Testing
  • Premium Support options
  • Early access to beta features
  • Private Slack Channel
  • Unlimited Manual Accessibility DevTools Tests