TL:DR
document.cookie = "tagname = test;secure";
You have to use HTTPS to set a secure attribute
The normal (or formal, maybe) name is attribute. Since the flag refers to other things.
More Info
Cookie attributes:
Secure – Cookie will be sent in HTTPS transmission only.
HttpOnly- Don’t allow scripts to access cookie. You can set both of the Secure and HttpOnly.
Domain- specify the hosts to which the cookie will be sent.
Path – create scopes, cookie will be sent only if the path matches.
Expires – indicates the maximum lifetime of the cookie.
More details and practical usages. Check Testing_for_cookies_attributes_(OTG-SESS-002)
UPDATES
The following contents expire in June 2, 2016.
Cookie Flags
Cookie flags are prefixes. At the moment, they are described in the RFC draft as a update to the RFC6265
These flags are used with the ‘secure’ attribute.
__Secure-
The dash is a part of the prefix. This flag tells the browser, the cookie should only be included in ‘https’.
__Host-
A cookie with this flag
must not have ‘domain’ attribute, it will be only sent to the host which set it.
Must have a ‘path’ attribute, that is set to “https://stackoverflow.com/”, because it will be sent to the host in every request from the host.