Nx-anti-csrf-token secure attribute to cookie

during an internal VA our security team open a vulnerability issue about that.
Reading also OWASP docs seems suggested but not mandatory for this kind of token secure attribute, so anyone knows anything about that, could be a false positive(??) and or how to enable secure flag for this cookie/token

Report Vuln ID

Title: Session Cookie (Authentication Related) Does Not Contain The “secure” Attribute

Severity: Medium

CVSS Score: 6.5


Root Cause: Not Available

Risk Area: Amber

Results: NX-ANTI-CSRF-TOKEN=0.7479063872718273; path=/; domain=
Cookies set via JavaScript do not have an associated HTTP response header.

Evidence: -

Threat: -

Remediation notes
If the associated risk of a compromised account is high, apply the “secure” attribute to session cookies and force all sensitive requests to be sent via HTTPS