Secure - Cookie will be sent in HTTPS transmission only.
These flags are used with the 'secure' attribute: _Secure-
must not have 'domain' attribute, it will be only sent to the host which set it.
Must have a 'path' attribute, that is set to '/', because it will be sent to the host in every request from the host.
в принципе, можно начать с этого списка (найден на просторах SO)