Cookie Security

While going through pen tests and security scans, I have gotten warnings about several Keycloak cookies:


The first 2 that they didn’t have SameSite set, the last one that it didn’t have Secure set.

I have a few questions:

  • What is each of these cookies for? I’ve looked in the docs for a guide to cookies set by Keycloak, but I could not find any. I want to understand what each one does.
  • I have Keycloak on the same origin as the application it is protecting and I have HTTPS on both. Can I change something to set the SameSite flag? Can I change something to make it so that Secure is always set?