Our company was doing security scans on our https website and reported to me that the cfglobal cookie is not being served securely. I did some reading and tried the following solutions to fix this. After checking the headers I still have an unsecured cfglobal cookie. Here's what I tried:
If you do not use client variables then the CFGLOBALS cookie is not required, so if that is the case make sure you have clientManagement set to false in your Application.cfc or cfm.
There is not a setting a CF that adds the secure flag to the cookie so you can use your Web Server to modify the cookie value, here's an example of how to do that using IIS: https://www.petefreitag.com/item/850.cfm