The following Set-Cookie header is raising findings for the cookie-secure and cookie-httponly checks, when both flags are there.
Set-Cookie: SNID=[redacted]_[redacted]-V5Aj-EDUJxQXg; expires=Tue, 07-Apr-2026 21:03:10 GMT; path=/verify; domain=.google.com; Secure; HttpOnly; SameSite=lax