We are using WebSphere Liberty Profile (17.0.0.4) to run our JAX-RS REST services. We are running our applications through Contrast, which is a scanning service. It is flagging our cookies as having the secure flag turned off. However, we are not using or touching any cookies in our code. The only cookie that is coming back in the response from our services is LtpaToken2, and sure enough, it has the secure flag set to false. How can I enable the secure flag for the LtpaToken2 cookie (hopefully via configuration and not having to read and rewrite it in our code)?
Adding <webAppSecurity ssoRequiresSSL="true"/> to the server.xml file should do it.