session cookies are never set as secure

I am trying to strengthen the security of my websites. I have set security policies in my nginx webserver, to promote secure cookies on my websites (using the header add_header Set-Cookie "Path=/; HttpOnly; Secure";).

There is only one cookie now that is never set as secure, it is the __wpdm_client cookie.

If this cookie is set with PHP, it should use the secure=true option (see https://www.php.net/manual/en/function.setcookie.php) when https is detected.

On the server-side, it’s on the programmer to send this kind of cookie only on secure connection (e.g. with respect to $_SERVER[“HTTPS”]).