Secure cookie flags missing when hosting Umbraco 13 on Azure App Service

lawejo · October 8, 2025, 7:59am

I’m hosting an Umbraco 13 site directly on Azure App Service.
During a PCI scan, I discovered that some cookies from the application are not marked as Secure, even though the site is served exclusively over HTTPS.

Specifically:

The .AspNetCore.Antiforgery cookie (which I believe is created by Umbraco Forms) is returned with Secure=false.
The UMB_SESSION cookie also appears without the Secure flag.

According to the Umbraco documentation, the UMB_SESSION cookie should automatically be secure when running over HTTPS:

“The UMB_SESSION cookie is secure if you are using HTTPS pages.”

Despite that, the Secure flag is still set to false.
Has anyone encountered this when hosting an Umbraco site on Azure App Service — and found a way to ensure these cookies are marked as secure?

cheeseytoastie · October 8, 2025, 8:56am

Yes! Our pen testers picked this up.

In my Startup.cs I added

// secure flat on aspnetcore.antiforgery
            services.AddAntiforgery(options =>
            {
                options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
            });

As a warning if you have a high traffic site / lots of revisits I think I recall that deploying this change will cause issues / errors for visitors with the cookie from before the release.

Please check the expiration of this cookie - you may wish to release last thing at night so it has time to expire for any visitors - test this!

Sorry my memory is hazy here.