The com.auth0.state cookie has been flagged by our security scans for missing the Secure attribute. It is set by Auth0 during the redirect to /authorize. I previously found a post discussing other cookies not being marked Secure as a design decision, but it didn’t mention com.auth0.state specifically. The cookies referenced were:
auth0.organization_hint_legacy_auth0.organization_hintauth0.is.authenticated_legacy_auth0.is.authenticated
Does the answer in that thread also apply to the com.auth0.state cookie?
Is there a way to ensure this cookie is set with the Secure attribute, or is this a warning that can be safely ignored for now?
Note: All requests are over HTTPS.
Thanks for the help!