Hi!
I set in realm configuration Require SSL: all requests, and all Keycloak cookies now have Secure flag, except kc_session cookie.
I found here: [keycloak-user] Set-Cookie is missing 'Secure' and 'HttpOnly' flags that:
KEYCLOAK_SESSION cookie is not marked HttpOnly and is used by our iframe to detect if the user is logged in still
Is “kc_session” name of “KEYCLOAK_SESSION” cookie?
“kc_session” isn’t marked with Secure flag, as it is necessary to iframe?
Keycloak version 15.0.2