After adding the following tag in web.config
<httpCookies requireSSL="true" />I am getting "Set-Cookie:Secure" in every response header. But
I can see there are duplicate "Set-Cookie" attributes in the headers as below
IBM AppScan is raising an exception - Missing Secure Attribute in Encrypted Session (SSL) Cookie. I have gone through this question and RFC 6265 but I am not clear if a response header can have another "Set-Cookie" attribute for secure flag.