As part of general security good practices, you should always (whenever possible):
- use HTTPS to serve all requests
- serve redirects to upgrade HTTP requests to HTTPS
- set session cookies to
secureandhttp_only - enable HTTP Strict Transport Security (
HSTS)