Secure flag on Google Cloud Load Balancer cookie

Our GCP Load Balancer is set up to route to our back-end service using cookie session affinity. It´s working ok, but the secure flag is not set. We have tried to specify it according RFC 7230:

Set-Cookie: Secure

Theorically the header can be configured on backend-service custom request header. The backend-service description:

gcloud beta compute backend-services describe my-backend-service --global

- 'Set-Cookie: Secure'
description: ''
enableCDN: false
fingerprint: XXXXXX-XX
kind: compute#backendService
loadBalancingScheme: EXTERNAL
name: my-backend-service
port: 80
portName: http
protocol: HTTP
sessionAffinity: GENERATED_COOKIE
timeoutSec: 300

However the GLCB cookie still not showing the secure flag.

What are we doing wrong?

Thanks in advance.


  • Make sure that the value passed into UriCookieConfig was HTTP and not https. Switching to https changed the set-cookie to be secure and might fix your issue.

    When setting a cookie, the cookie is not set with a secure attribute but NOT because it is set via HTTP (though not ideal too). A secure flag in a set-cookie header instructs the client only sent the cookie back via a secure channel (e.g. https). It redirects to https when the request isn't secure:

    See the following document for more details on setting the secure Flag: