Something to consider from @tmaher:
log to stderr or throw an exception whenever server issues a cookie
without the secure or httpOnly flags, with a per-cookie override
switch clearly labeled "Give me a plaintext cookie; I understand the
security implications"
