The "secure" attribute prevents cookies from being sent over plaintext connections such as HTTP, where they would be easily eavesdropped upon. Instead, cookies with the secure attribute are only sent over encrypted HTTPS connections.
Cookie c = new Cookie(SECRET, secret); // Noncompliant; cookie is not secure response.addCookie(c);
Cookie c = new Cookie(SECRET, secret); c.setSecure(true); response.addCookie(c);