Bluemix generates a VCAP_ID cookie which is not secure at the moment (see below). Is there a way I can force it to be secure? Is there any reason for not making it secure?
Set-Cookie:VCAP_ID=[redacted]; Path=/; HttpOnly
vs.
Set-Cookie:VCAP_ID=[redacted]; Path=/; HttpOnly; Secure
No, this is set internally by Bluemix. We can take this back to the dev team to make the cookie secure though.