diff --git a/csharp/ql/integration-tests/posix/query-suite/csharp-code-scanning.qls.expected b/csharp/ql/integration-tests/posix/query-suite/csharp-code-scanning.qls.expected
index c0ff79af1c16..4ffd875fda3b 100644
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-code-scanning.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-code-scanning.qls.expected
@@ -16,6 +16,7 @@ ql/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql
 ql/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
 ql/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql
 ql/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql
+ql/csharp/ql/src/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
 ql/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql
 ql/csharp/ql/src/Security Features/CWE-117/LogForging.ql
 ql/csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql
@@ -33,6 +34,7 @@ ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.q
 ql/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql
 ql/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql
 ql/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql
+ql/csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.ql
 ql/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql
 ql/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
 ql/csharp/ql/src/Security Features/CWE-730/ReDoS.ql
diff --git a/csharp/ql/integration-tests/posix/query-suite/csharp-security-and-quality.qls.expected b/csharp/ql/integration-tests/posix/query-suite/csharp-security-and-quality.qls.expected
index d4d145986c1b..b520a571fc8c 100644
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-security-and-quality.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-security-and-quality.qls.expected
@@ -120,6 +120,7 @@ ql/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql
 ql/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
 ql/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql
 ql/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql
+ql/csharp/ql/src/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
 ql/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql
 ql/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql
 ql/csharp/ql/src/Security Features/CWE-117/LogForging.ql
@@ -140,6 +141,7 @@ ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.q
 ql/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql
 ql/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql
 ql/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql
+ql/csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.ql
 ql/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql
 ql/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.ql
 ql/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
diff --git a/csharp/ql/integration-tests/posix/query-suite/csharp-security-extended.qls.expected b/csharp/ql/integration-tests/posix/query-suite/csharp-security-extended.qls.expected
index 48f7ad304a01..13b578d7b525 100644
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-security-extended.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-security-extended.qls.expected
@@ -23,6 +23,7 @@ ql/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql
 ql/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
 ql/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql
 ql/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql
+ql/csharp/ql/src/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
 ql/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql
 ql/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql
 ql/csharp/ql/src/Security Features/CWE-117/LogForging.ql
@@ -43,6 +44,7 @@ ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.q
 ql/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql
 ql/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql
 ql/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql
+ql/csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.ql
 ql/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql
 ql/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.ql
 ql/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
diff --git a/csharp/ql/integration-tests/posix/query-suite/not_included_in_qls.expected b/csharp/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
index 4c8d4d42e98a..4776a36a6a90 100644
--- a/csharp/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
@@ -84,9 +84,7 @@ ql/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql
 ql/csharp/ql/src/definitions.ql
 ql/csharp/ql/src/experimental/CWE-099/TaintedWebClient.ql
 ql/csharp/ql/src/experimental/CWE-918/RequestForgery.ql
-ql/csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
 ql/csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
-ql/csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql
 ql/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql
 ql/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.ql
 ql/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/security-validation-disabled.ql
diff --git a/csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll b/csharp/ql/lib/semmle/code/csharp/security/auth/SecureCookies.qll
similarity index 85%
rename from csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll
rename to csharp/ql/lib/semmle/code/csharp/security/auth/SecureCookies.qll
index e91ae9de5385..56b6294949b8 100644
--- a/csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/auth/SecureCookies.qll
@@ -1,13 +1,13 @@
 /**
- * Provides classes and predicates for detecting insecure cookies.
+ * Definitions for detecting insecure and non-HttpOnly cookies.
  */
-deprecated module;
 
 import csharp
-import semmle.code.csharp.frameworks.microsoft.AspNetCore
+private import semmle.code.csharp.frameworks.system.Web
+private import semmle.code.csharp.frameworks.microsoft.AspNetCore
 
 /**
- * Holds if the expression is a variable with a sensitive name.
+ * Holds if the expression is a sensitive string literal or a variable with a sensitive name.
  */
 predicate isCookieWithSensitiveName(Expr cookieExpr) {
   exists(DataFlow::Node sink |
@@ -17,7 +17,7 @@ predicate isCookieWithSensitiveName(Expr cookieExpr) {
 }
 
 /**
- * Configuration for tracking if a variable with a sensitive name is used as an argument.
+ * Configuration for tracking if a sensitive string literal or a variable with a sensitive name is used as an argument.
  */
 private module AuthCookieNameConfig implements DataFlow::ConfigSig {
   private predicate isAuthVariable(Expr expr) {
@@ -33,7 +33,15 @@ private module AuthCookieNameConfig implements DataFlow::ConfigSig {
 
   predicate isSource(DataFlow::Node source) { isAuthVariable(source.asExpr()) }
 
-  predicate isSink(DataFlow::Node sink) { exists(Call c | sink.asExpr() = c.getAnArgument()) }
+  predicate isSink(DataFlow::Node sink) {
+    exists(Call c |
+      sink.asExpr() = c.getAnArgument() and
+      (
+        c.getTarget() = any(MicrosoftAspNetCoreHttpResponseCookies cls).getAppendMethod() or
+        c.(ObjectCreation).getType() instanceof SystemWebHttpCookie
+      )
+    )
+  }
 }
 
 /**
@@ -119,13 +127,13 @@ private signature string propertyName();
 
 /**
  * Configuration for tracking if a callback used in `OnAppendCookie` sets a cookie property to `true`.
+ *
+ * ` getPropertyName` specifies the cookie property name to track.
  */
 private module OnAppendCookieTrackingConfig<propertyName/0 getPropertyName> implements
   DataFlow::ConfigSig
 {
-  /**
-   * Specifies the cookie property name to track.
-   */
+  /** Source is the parameter of a callback passed to `OnAppendCookie` */
   predicate isSource(DataFlow::Node source) {
     exists(PropertyWrite pw, Assignment delegateAssign, Callable c |
       pw.getProperty().getName() = "OnAppendCookie" and
@@ -146,6 +154,7 @@ private module OnAppendCookieTrackingConfig<propertyName/0 getPropertyName> impl
     )
   }
 
+  /** Sink is a property write that sets the given property to `true`. */
   predicate isSink(DataFlow::Node sink) {
     exists(PropertyWrite pw, Assignment a |
       pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
@@ -178,7 +187,7 @@ private module OnAppendCookieSecureTrackingConfig =
   OnAppendCookieTrackingConfig<getPropertyNameSecure/0>;
 
 /**
- * Tracks if a callback used in `OnAppendCookie` sets `Secure` to `true`.
+ * Tracks if a callback used in `OnAppendCookie` sets `Secure` to `true`, and thus cookies appended to responses are secure by default.
  */
 module OnAppendCookieSecureTracking = DataFlow::Global<OnAppendCookieSecureTrackingConfig>;
 
@@ -191,6 +200,6 @@ private module OnAppendCookieHttpOnlyTrackingConfig =
   OnAppendCookieTrackingConfig<getPropertyNameHttpOnly/0>;
 
 /**
- * Tracks if a callback used in `OnAppendCookie` sets `HttpOnly` to `true`.
+ * Tracks if a callback used in `OnAppendCookie` sets `HttpOnly` to `true`, and thus cookies appended to responses are httponly by default.
  */
 module OnAppendCookieHttpOnlyTracking = DataFlow::Global<OnAppendCookieHttpOnlyTrackingConfig>;
diff --git a/csharp/ql/src/Security Features/CWE-1004/CookieWithoutHttpOnly.qhelp b/csharp/ql/src/Security Features/CWE-1004/CookieWithoutHttpOnly.qhelp
new file mode 100644
index 000000000000..01bcc8c81da0
--- /dev/null
+++ b/csharp/ql/src/Security Features/CWE-1004/CookieWithoutHttpOnly.qhelp	
@@ -0,0 +1,60 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Cookies without the <code>HttpOnly</code> flag set are accessible to client-side scripts such as JavaScript running in the same origin. 
+In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script.
+If a sensitive cookie does not need to be accessed directly by client-side JS, the <code>HttpOnly</code> flag should be set.</p>
+</overview>
+
+<recommendation>
+<p>
+Set the <code>HttpOnly</code> flag to <code>true</code> for authentication cookies to ensure they are not accessible to client-side scripts.
+</p> 
+<p>
+When using ASP.NET Core, <code>CookiePolicyOptions</code> can be used to set a default policy for cookies.
+
+When using ASP.NET Web Forms, a default may also be configured in the <code>Web.config</code> file, using the <code>httpOnlyCookies</code> attribute of the 
+the <code>&lt;httpCookies&gt;</code> element.
+</p>
+</recommendation>
+
+<example>
+
+<p>
+In the example below, <code>Microsoft.AspNetCore.Http.CookieOptions.HttpOnly</code> is set to <code>true</code>.
+</p>
+
+<sample src="httponlyflagcore.cs" />
+
+<p>
+In the following example, <code>CookiePolicyOptions</code> are set programmatically to configure defaults.
+</p>
+
+<sample src="cookiepolicyoptions.cs" />
+
+<p>
+In the example below, <code>System.Web.HttpCookie.HttpOnly</code> is set to <code>true</code>.
+</p>
+
+<sample src="httponlyflag.cs" />
+
+<p>
+In the example below, the <code>httpOnlyCookies</code> attribute is set to <code>true</code> in the <code>Web.config</code> file.
+</p>
+<sample src="Web.config"/>
+
+</example>
+
+<references>
+
+<li>ASP.Net Core docs: <a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions.httponly">CookieOptions.HttpOnly Property</a>.</li>
+<li>MDN: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header.</li>
+<li>Web Forms docs: <a href="https://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly(v=vs.110).aspx">HttpCookie.HttpOnly Property</a>.</li>
+<li>Web Forms docs: <a href="https://msdn.microsoft.com/library/ms228262%28v=vs.100%29.aspx">httpCookies Element</a>.</li>
+<li>PortSwigger: <a href="https://portswigger.net/kb/issues/00500600_cookie-without-httponly-flag-set">Cookie without HttpOnly flag set</a></li>
+
+</references>
+</qhelp>
diff --git a/csharp/ql/src/Security Features/CWE-1004/CookieWithoutHttpOnly.ql b/csharp/ql/src/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
new file mode 100644
index 000000000000..4205fb4f70cb
--- /dev/null
+++ b/csharp/ql/src/Security Features/CWE-1004/CookieWithoutHttpOnly.ql	
@@ -0,0 +1,117 @@
+/**
+ * @name Cookie 'HttpOnly' attribute is not set to true
+ * @description Sensitive cookies without the `HttpOnly` property set are accessible by client-side scripts such as JavaScript.
+ *              This makes them more vulnerable to being stolen by an XSS attack.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id cs/web/cookie-httponly-not-set
+ * @tags security
+ *       external/cwe/cwe-1004
+ */
+
+import csharp
+import semmle.code.asp.WebConfig
+import semmle.code.csharp.frameworks.system.Web
+import semmle.code.csharp.frameworks.microsoft.AspNetCore
+import semmle.code.csharp.security.auth.SecureCookies
+
+predicate cookieAppendHttpOnlyByDefault() {
+  // default is set to `Always`
+  getAValueForCookiePolicyProp("HttpOnly").getValue() = "1"
+  or
+  // there is an `OnAppendCookie` callback that sets `HttpOnly` to true
+  OnAppendCookieHttpOnlyTracking::flowTo(_)
+}
+
+predicate httpOnlyFalse(ObjectCreation oc) {
+  exists(Assignment a |
+    getAValueForProp(oc, a, "HttpOnly") = a.getRValue() and
+    a.getRValue().getValue() = "false"
+  )
+}
+
+predicate httpOnlyFalseOrNotSet(ObjectCreation oc) {
+  httpOnlyFalse(oc)
+  or
+  not isPropertySet(oc, "HttpOnly")
+}
+
+predicate nonHttpOnlyCookieOptionsCreation(ObjectCreation oc, MethodCall append) {
+  // `HttpOnly` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
+  oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+  httpOnlyFalseOrNotSet(oc) and
+  exists(DataFlow::Node creation, DataFlow::Node sink |
+    CookieOptionsTracking::flow(creation, sink) and
+    creation.asExpr() = oc and
+    sink.asExpr() = append.getArgument(2)
+  )
+}
+
+predicate nonHttpOnlySystemWebSensitiveCookieCreation(ObjectCreation oc) {
+  oc.getType() instanceof SystemWebHttpCookie and
+  isCookieWithSensitiveName(oc.getArgument(0)) and
+  (
+    httpOnlyFalse(oc)
+    or
+    // the property wasn't explicitly set, so a default value from config is used
+    not isPropertySet(oc, "HttpOnly") and
+    // the default in config is not set to `true`
+    not exists(XmlElement element |
+      element instanceof HttpCookiesElement and
+      element.(HttpCookiesElement).isHttpOnlyCookies()
+    )
+  )
+}
+
+predicate sensitiveCookieAppend(MethodCall mc) {
+  exists(MicrosoftAspNetCoreHttpResponseCookies iResponse |
+    iResponse.getAppendMethod() = mc.getTarget() and
+    isCookieWithSensitiveName(mc.getArgument(0))
+  )
+}
+
+predicate nonHttpOnlyCookieCall(Call c) {
+  (
+    not cookieAppendHttpOnlyByDefault() and
+    exists(MethodCall mc |
+      sensitiveCookieAppend(mc) and
+      (
+        nonHttpOnlyCookieOptionsCreation(c, mc)
+        or
+        // IResponseCookies.Append(String, String) was called, `HttpOnly` is set to `false` by default
+        mc = c and
+        mc.getNumberOfArguments() < 3
+      )
+    )
+    or
+    nonHttpOnlySystemWebSensitiveCookieCreation(c)
+  )
+}
+
+predicate nonHttpOnlyCookieBuilderAssignment(Assignment a, Expr val) {
+  val.getValue() = "false" and
+  exists(PropertyWrite pw |
+    (
+      pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
+      pw.getProperty().getDeclaringType() instanceof
+        MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
+    ) and
+    pw.getProperty().getName() = "HttpOnly" and
+    a.getLValue() = pw and
+    DataFlow::localExprFlow(val, a.getRValue())
+  )
+}
+
+from Expr httpOnlySink
+where
+  (
+    nonHttpOnlyCookieCall(httpOnlySink)
+    or
+    exists(Assignment a |
+      httpOnlySink = a.getRValue() and
+      nonHttpOnlyCookieBuilderAssignment(a, _)
+    )
+  )
+select httpOnlySink, "Cookie attribute 'HttpOnly' is not set to true."
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/Web.config b/csharp/ql/src/Security Features/CWE-1004/Web.config
similarity index 60%
rename from csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/Web.config
rename to csharp/ql/src/Security Features/CWE-1004/Web.config
index ec7b88761ca4..8f4cf5ba7777 100644
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/Web.config	
+++ b/csharp/ql/src/Security Features/CWE-1004/Web.config	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8" ?>
 <configuration>
   <system.web>
-    <httpCookies requireSSL="false" />
+    <httpCookies httpOnlyCookies="true"/>
   </system.web>
-</configuration>
+</configuration>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/CWE-1004/cookiepolicyoptions.cs b/csharp/ql/src/Security Features/CWE-1004/cookiepolicyoptions.cs
similarity index 100%
rename from csharp/ql/src/experimental/Security Features/CWE-1004/cookiepolicyoptions.cs
rename to csharp/ql/src/Security Features/CWE-1004/cookiepolicyoptions.cs
diff --git a/csharp/ql/src/experimental/Security Features/CWE-1004/httponlyflag.cs b/csharp/ql/src/Security Features/CWE-1004/httponlyflag.cs
similarity index 100%
rename from csharp/ql/src/experimental/Security Features/CWE-1004/httponlyflag.cs
rename to csharp/ql/src/Security Features/CWE-1004/httponlyflag.cs
diff --git a/csharp/ql/src/experimental/Security Features/CWE-1004/httponlyflagcore.cs b/csharp/ql/src/Security Features/CWE-1004/httponlyflagcore.cs
similarity index 100%
rename from csharp/ql/src/experimental/Security Features/CWE-1004/httponlyflagcore.cs
rename to csharp/ql/src/Security Features/CWE-1004/httponlyflagcore.cs
diff --git a/csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.qhelp b/csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.qhelp
new file mode 100644
index 000000000000..f122c4d881bc
--- /dev/null
+++ b/csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.qhelp	
@@ -0,0 +1,61 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Cookies without the <code>Secure</code> flag set may be transmitted using HTTP instead of HTTPS.
+This leaves them vulnerable to being read by a third party attacker. If a sensitive cookie such as a session
+key is intercepted this way, it would allow the attacker to perform actions on a user's behalf.</p>
+</overview>
+
+<recommendation>
+<p>
+When using ASP.NET Core, ensure cookies have the secure flag set by setting <code>Microsoft.AspNetCore.Http.CookieOptions.Secure</code> to <code>true</code>, or 
+using <code>CookiePolicyOptions</code> to set a default security policy.
+</p>
+<p>
+When using ASP.NET Web Forms, cookies can be configured as secure by default in the <code>Web.config</code> file, setting the <code>requireSSL</code> attribute to <code>true</code> in the  <code>forms</code> or <code>httpCookies</code> element. 
+Cookies may also be set to be secure programmatically by setting the <code>System.Web.HttpCookie.Secure</code> attribute to <code>true</code>.
+</p>
+</recommendation>
+
+<example>
+
+<p>
+In the example below, <code>Microsoft.AspNetCore.Http.CookieOptions.Secure</code> is set to <code>true</code>.
+</p>
+
+<sample src="secureflagcore.cs" />
+
+<p>
+In the following example, <code>CookiePolicyOptions</code> are set programmatically to configure defaults.
+</p>
+
+<sample src="cookiepolicyoptions.cs" />
+
+<p>
+In the example below <code>System.Web.HttpCookie.Secure</code> is set to <code>true</code> programmatically.
+</p>
+
+<sample src="secureflag.cs" />
+
+<p>
+In the example below, the <code>requireSSL</code> attribute is set to <code>true</code> in the <code>forms</code> element of the <code>Web.config</code> file.
+</p>
+<sample src="Web.config" />
+
+</example>
+
+<references>
+
+<li>ASP.NET Core docs: <a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions.secure">CookieOptions.Secure Property</a>.</li>
+<li>MDN: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header.</li>
+<li>Web Forms docs: <a href="https://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.requiressl(v=vs.110).aspx">FormsAuthentication.RequireSSL Property</a>.</li>
+<li>Web Forms docs: <a href="https://msdn.microsoft.com/en-us/library/1d3t3c61(v=vs.100).aspx">forms Element for authentication</a>.</li>
+<li>Web Forms docs: <a href="https://msdn.microsoft.com/library/ms228262%28v=vs.100%29.aspx">httpCookies Element</a>.</li>
+<li>Detectify: <a href="https://support.detectify.com/support/solutions/articles/48001048982-cookie-lack-secure-flag">Cookie lack Secure flag</a>.</li>
+<li>PortSwigger: <a href="https://portswigger.net/kb/issues/00500200_tls-cookie-without-secure-flag-set">TLS cookie without secure flag set</a>.</li>
+
+</references>
+</qhelp>
diff --git a/csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.ql b/csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.ql
new file mode 100644
index 000000000000..c52a5cd992b8
--- /dev/null
+++ b/csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.ql	
@@ -0,0 +1,115 @@
+/**
+ * @name Cookie 'Secure' attribute is not set to true
+ * @description Cookies without the `Secure` flag may be sent in cleartext.
+ *              This makes them vulnerable to be intercepted by an attacker.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 5.0
+ * @precision high
+ * @id cs/web/cookie-secure-not-set
+ * @tags security
+ *       external/cwe/cwe-319
+ *       external/cwe/cwe-614
+ */
+
+import csharp
+import semmle.code.asp.WebConfig
+import semmle.code.csharp.frameworks.system.Web
+import semmle.code.csharp.frameworks.microsoft.AspNetCore
+import semmle.code.csharp.security.auth.SecureCookies
+
+predicate cookieAppendSecureByDefault() {
+  // default is set to `Always` or `SameAsRequest`
+  (
+    getAValueForCookiePolicyProp("Secure").getValue() = "0" or
+    getAValueForCookiePolicyProp("Secure").getValue() = "1"
+  )
+  or
+  //callback `OnAppendCookie` that sets `Secure` to true
+  OnAppendCookieSecureTracking::flowTo(_)
+}
+
+predicate secureFalse(ObjectCreation oc) {
+  exists(Assignment a |
+    getAValueForProp(oc, a, "Secure") = a.getRValue() and
+    a.getRValue().getValue() = "false"
+  )
+}
+
+predicate secureFalseOrNotSet(ObjectCreation oc) {
+  secureFalse(oc)
+  or
+  not isPropertySet(oc, "Secure")
+}
+
+predicate insecureCookieOptionsCreation(ObjectCreation oc) {
+  // `Secure` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
+  oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+  secureFalseOrNotSet(oc) and
+  exists(DataFlow::Node creation |
+    CookieOptionsTracking::flow(creation, _) and
+    creation.asExpr() = oc
+  )
+}
+
+predicate insecureCookieAppend(Expr sink) {
+  // IResponseCookies.Append(String, String) was called, `Secure` is set to `false` by default
+  exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
+    mc = sink and
+    iResponse.getAppendMethod() = mc.getTarget() and
+    mc.getNumberOfArguments() < 3
+  )
+}
+
+predicate insecureSystemWebCookieCreation(ObjectCreation oc) {
+  oc.getType() instanceof SystemWebHttpCookie and
+  (
+    secureFalse(oc)
+    or
+    // `Secure` property in `System.Web.HttpCookie` wasn't set, so a default value from config is used
+    not isPropertySet(oc, "Secure") and
+    // the default in config is not set to `true`
+    not exists(XmlElement element |
+      element instanceof FormsElement and
+      element.(FormsElement).isRequireSsl()
+      or
+      element instanceof HttpCookiesElement and
+      element.(HttpCookiesElement).isRequireSsl()
+    )
+  )
+}
+
+predicate insecureCookieCall(Call c) {
+  not cookieAppendSecureByDefault() and
+  (
+    insecureCookieOptionsCreation(c)
+    or
+    insecureCookieAppend(c)
+  )
+  or
+  insecureSystemWebCookieCreation(c)
+}
+
+predicate insecureSecurePolicyAssignment(Assignment a, Expr val) {
+  exists(PropertyWrite pw |
+    (
+      pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
+      pw.getProperty().getDeclaringType() instanceof
+        MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
+    ) and
+    pw.getProperty().getName() = "SecurePolicy" and
+    a.getLValue() = pw and
+    DataFlow::localExprFlow(val, a.getRValue()) and
+    val.getValue() = "2" // None
+  )
+}
+
+from Expr secureSink
+where
+  insecureCookieCall(secureSink)
+  or
+  exists(Assignment a |
+    secureSink = a.getRValue() and
+    insecureSecurePolicyAssignment(a, _)
+  )
+select secureSink, "Cookie attribute 'Secure' is not set to true."
diff --git a/csharp/ql/src/experimental/Security Features/CWE-614/cookiepolicyoptions.cs b/csharp/ql/src/Security Features/CWE-614/cookiepolicyoptions.cs
similarity index 100%
rename from csharp/ql/src/experimental/Security Features/CWE-614/cookiepolicyoptions.cs
rename to csharp/ql/src/Security Features/CWE-614/cookiepolicyoptions.cs
diff --git a/csharp/ql/src/experimental/Security Features/CWE-614/secureflag.cs b/csharp/ql/src/Security Features/CWE-614/secureflag.cs
similarity index 100%
rename from csharp/ql/src/experimental/Security Features/CWE-614/secureflag.cs
rename to csharp/ql/src/Security Features/CWE-614/secureflag.cs
diff --git a/csharp/ql/src/experimental/Security Features/CWE-614/secureflagcore.cs b/csharp/ql/src/Security Features/CWE-614/secureflagcore.cs
similarity index 100%
rename from csharp/ql/src/experimental/Security Features/CWE-614/secureflagcore.cs
rename to csharp/ql/src/Security Features/CWE-614/secureflagcore.cs
diff --git a/csharp/ql/src/change-notes/2025-10-24-insecure-cookie-query-promote.md b/csharp/ql/src/change-notes/2025-10-24-insecure-cookie-query-promote.md
new file mode 100644
index 000000000000..1a15c0494bdf
--- /dev/null
+++ b/csharp/ql/src/change-notes/2025-10-24-insecure-cookie-query-promote.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+The `cs/web/cookie-secure-not-set` and `cs/web/cookie-httponly-not-set` queries have been promoted from experimental to the main query pack.
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.qhelp b/csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.qhelp
deleted file mode 100644
index c7c10a3af9e5..000000000000
--- a/csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.qhelp	
+++ /dev/null
@@ -1,51 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-
-<overview>
-<p>
-Cookies without <code>HttpOnly</code> flag are accessible to JavaScript running in the same origin. In case of
-Cross-Site Scripting (XSS) vulnerability the cookie can be stolen by malicious script.
-</p>
-</overview>
-
-<recommendation>
-<p>
-Protect sensitive cookies, such as related to authentication, by setting <code>HttpOnly</code> to <code>true</code> to make
-them not accessible to JavaScript. In ASP.NET case it is also possible to set the attribute via <code>&lt;httpCookies&gt;</code> element
-of <code>web.config</code> with the attribute <code>httpOnlyCookies="true"</code>.
-</p>
-</recommendation>
-
-<example>
-
-<p>
-In the example below <code>Microsoft.AspNetCore.Http.CookieOptions.HttpOnly</code> is set to <code>true</code>.
-</p>
-
-<sample src="httponlyflagcore.cs" />
-
-<p>
-In the following example <code>CookiePolicyOptions</code> are set programmatically to configure defaults.
-</p>
-
-<sample src="cookiepolicyoptions.cs" />
-
-<p>
-In the example below <code>System.Web.HttpCookie.HttpOnly</code> is set to <code>true</code>.
-</p>
-
-<sample src="httponlyflag.cs" />
-
-</example>
-
-<references>
-
-<li><a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions.httponly">CookieOptions.HttpOnly Property,</a></li>
-<li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header,</li>
-<li><a href="https://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly(v=vs.110).aspx">HttpCookie.HttpOnly Property,</a></li>
-<li><a href="https://msdn.microsoft.com/library/ms228262%28v=vs.100%29.aspx">httpCookies Element,</a></li>
-
-</references>
-</qhelp>
diff --git a/csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql b/csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
deleted file mode 100644
index 359ffbcd2f30..000000000000
--- a/csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql	
+++ /dev/null
@@ -1,107 +0,0 @@
-/**
- * @name 'HttpOnly' attribute is not set to true
- * @description Omitting the 'HttpOnly' attribute for security sensitive data allows
- *              malicious JavaScript to steal it in case of XSS vulnerability. Always set
- *              'HttpOnly' to 'true' to authentication related cookie to make it
- *              not accessible by JavaScript.
- * @kind problem
- * @problem.severity warning
- * @precision high
- * @id cs/web/cookie-httponly-not-set
- * @tags security
- *       experimental
- *       external/cwe/cwe-1004
- */
-
-import csharp
-import semmle.code.asp.WebConfig
-import semmle.code.csharp.frameworks.system.Web
-import semmle.code.csharp.frameworks.microsoft.AspNetCore
-deprecated import experimental.dataflow.flowsources.AuthCookie
-
-deprecated query predicate problems(Expr httpOnlySink, string message) {
-  (
-    exists(Assignment a, Expr val |
-      httpOnlySink = a.getRValue() and
-      val.getValue() = "false" and
-      (
-        exists(ObjectCreation oc |
-          getAValueForProp(oc, a, "HttpOnly") = val and
-          (
-            oc.getType() instanceof SystemWebHttpCookie and
-            isCookieWithSensitiveName(oc.getArgument(0))
-            or
-            exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
-              oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
-              iResponse.getAppendMethod() = mc.getTarget() and
-              isCookieWithSensitiveName(mc.getArgument(0)) and
-              // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
-              not OnAppendCookieHttpOnlyTracking::flowTo(_) and
-              // Passed as third argument to `IResponseCookies.Append`
-              exists(DataFlow::Node creation, DataFlow::Node append |
-                CookieOptionsTracking::flow(creation, append) and
-                creation.asExpr() = oc and
-                append.asExpr() = mc.getArgument(2)
-              )
-            )
-          )
-        )
-        or
-        exists(PropertyWrite pw |
-          (
-            pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
-            pw.getProperty().getDeclaringType() instanceof
-              MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
-          ) and
-          pw.getProperty().getName() = "HttpOnly" and
-          a.getLValue() = pw and
-          DataFlow::localExprFlow(val, a.getRValue())
-        )
-      )
-    )
-    or
-    exists(Call c |
-      httpOnlySink = c and
-      (
-        exists(MicrosoftAspNetCoreHttpResponseCookies iResponse, MethodCall mc |
-          // default is not configured or is not set to `Always`
-          not getAValueForCookiePolicyProp("HttpOnly").getValue() = "1" and
-          // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
-          not OnAppendCookieHttpOnlyTracking::flowTo(_) and
-          iResponse.getAppendMethod() = mc.getTarget() and
-          isCookieWithSensitiveName(mc.getArgument(0)) and
-          (
-            // `HttpOnly` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
-            exists(ObjectCreation oc |
-              oc = c and
-              oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
-              not isPropertySet(oc, "HttpOnly") and
-              exists(DataFlow::Node creation |
-                CookieOptionsTracking::flow(creation, _) and
-                creation.asExpr() = oc
-              )
-            )
-            or
-            // IResponseCookies.Append(String, String) was called, `HttpOnly` is set to `false` by default
-            mc = c and
-            mc.getNumberOfArguments() < 3
-          )
-        )
-        or
-        exists(ObjectCreation oc |
-          oc = c and
-          oc.getType() instanceof SystemWebHttpCookie and
-          isCookieWithSensitiveName(oc.getArgument(0)) and
-          // the property wasn't explicitly set, so a default value from config is used
-          not isPropertySet(oc, "HttpOnly") and
-          // the default in config is not set to `true`
-          not exists(XmlElement element |
-            element instanceof HttpCookiesElement and
-            element.(HttpCookiesElement).isHttpOnlyCookies()
-          )
-        )
-      )
-    )
-  ) and
-  message = "Cookie attribute 'HttpOnly' is not set to true."
-}
diff --git a/csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.qhelp b/csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.qhelp
deleted file mode 100644
index ddf825aed26e..000000000000
--- a/csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.qhelp	
+++ /dev/null
@@ -1,55 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-
-<overview>
-<p>
-Sensitive data that is transmitted using HTTP is vulnerable to being read by a third party. By default,
-cookies are sent via HTTP, not HTTPS.
-</p>
-</overview>
-
-<recommendation>
-<p>
-In ASP.NET case when using cookies ensure that HTTPS is used by setting the property <code>Microsoft.AspNetCore.Http.CookieOptions.Secure</code> to <code>true</code>.
-</p>
-<p>
-In ASP.NET Core case when using cookies, ensure that HTTPS is used, either via the <code>&lt;forms&gt;</code> attribute above, or
-the <code>&lt;httpCookies&gt;</code> element, with the attribute <code>requireSSL="true"</code>. It is also possible to require cookies
-to use HTTPS programmatically, by setting the property <code>System.Web.HttpCookie.Secure</code> to <code>true</code>.
-</p>
-</recommendation>
-
-<example>
-
-<p>
-In the example below <code>Microsoft.AspNetCore.Http.CookieOptions.Secure</code> is set to <code>true</code> programmatically.
-</p>
-
-<sample src="secureflagcore.cs" />
-
-<p>
-In the following example <code>CookiePolicyOptions</code> are set programmatically to configure defaults.
-</p>
-
-<sample src="cookiepolicyoptions.cs" />
-
-<p>
-In the example below <code>System.Web.HttpCookie.Secure</code> is set to <code>true</code> programmatically.
-</p>
-
-<sample src="secureflag.cs" />
-
-</example>
-
-<references>
-
-<li><a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions.secure">CookieOptions.Secure Property,</a></li>
-<li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header,</li>
-<li><a href="https://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.requiressl(v=vs.110).aspx">FormsAuthentication.RequireSSL Property,</a></li>
-<li><a href="https://msdn.microsoft.com/en-us/library/1d3t3c61(v=vs.100).aspx">forms Element for authentication,</a></li>
-<li><a href="https://msdn.microsoft.com/library/ms228262%28v=vs.100%29.aspx">httpCookies Element,</a></li>
-
-</references>
-</qhelp>
diff --git a/csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql b/csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql
deleted file mode 100644
index d7628f7b2c7b..000000000000
--- a/csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql	
+++ /dev/null
@@ -1,107 +0,0 @@
-/**
- * @name 'Secure' attribute is not set to true
- * @description Omitting the 'Secure' attribute allows data to be transmitted insecurely
- *              using HTTP. Always set 'Secure' to 'true' to ensure that HTTPS
- *              is used at all times.
- * @kind problem
- * @problem.severity error
- * @precision high
- * @id cs/web/cookie-secure-not-set
- * @tags security
- *       experimental
- *       external/cwe/cwe-319
- *       external/cwe/cwe-614
- */
-
-import csharp
-import semmle.code.asp.WebConfig
-import semmle.code.csharp.frameworks.system.Web
-import semmle.code.csharp.frameworks.microsoft.AspNetCore
-deprecated import experimental.dataflow.flowsources.AuthCookie
-
-deprecated query predicate problems(Expr secureSink, string message) {
-  (
-    exists(Call c |
-      secureSink = c and
-      (
-        // default is not configured or is not set to `Always` or `SameAsRequest`
-        not (
-          getAValueForCookiePolicyProp("Secure").getValue() = "0" or
-          getAValueForCookiePolicyProp("Secure").getValue() = "1"
-        ) and
-        // there is no callback `OnAppendCookie` that sets `Secure` to true
-        not OnAppendCookieSecureTracking::flowTo(_) and
-        (
-          // `Secure` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
-          exists(ObjectCreation oc |
-            oc = c and
-            oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
-            not isPropertySet(oc, "Secure") and
-            exists(DataFlow::Node creation |
-              CookieOptionsTracking::flow(creation, _) and
-              creation.asExpr() = oc
-            )
-          )
-          or
-          // IResponseCookies.Append(String, String) was called, `Secure` is set to `false` by default
-          exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
-            mc = c and
-            iResponse.getAppendMethod() = mc.getTarget() and
-            mc.getNumberOfArguments() < 3
-          )
-        )
-        or
-        exists(ObjectCreation oc |
-          oc = c and
-          oc.getType() instanceof SystemWebHttpCookie and
-          // the property wasn't explicitly set, so a default value from config is used
-          not isPropertySet(oc, "Secure") and
-          // the default in config is not set to `true`
-          // the `exists` below covers the `cs/web/requiressl-not-set`
-          not exists(XmlElement element |
-            element instanceof FormsElement and
-            element.(FormsElement).isRequireSsl()
-            or
-            element instanceof HttpCookiesElement and
-            element.(HttpCookiesElement).isRequireSsl()
-          )
-        )
-      )
-    )
-    or
-    exists(Assignment a, Expr val |
-      secureSink = a.getRValue() and
-      (
-        exists(ObjectCreation oc |
-          getAValueForProp(oc, a, "Secure") = val and
-          val.getValue() = "false" and
-          (
-            oc.getType() instanceof SystemWebHttpCookie
-            or
-            oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
-            // there is no callback `OnAppendCookie` that sets `Secure` to true
-            not OnAppendCookieSecureTracking::flowTo(_) and
-            // the cookie option is passed to `Append`
-            exists(DataFlow::Node creation |
-              CookieOptionsTracking::flow(creation, _) and
-              creation.asExpr() = oc
-            )
-          )
-        )
-        or
-        exists(PropertyWrite pw |
-          (
-            pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
-            pw.getProperty().getDeclaringType() instanceof
-              MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
-          ) and
-          pw.getProperty().getName() = "SecurePolicy" and
-          a.getLValue() = pw and
-          DataFlow::localExprFlow(val, a.getRValue()) and
-          val.getValue() = "2" // None
-        )
-      )
-    )
-  ) and
-  message = "Cookie attribute 'Secure' is not set to true."
-}
diff --git a/csharp/ql/src/experimental/Security Features/CWE-614/Web.config b/csharp/ql/src/experimental/Security Features/CWE-614/Web.config
deleted file mode 100644
index 89d4561cd625..000000000000
--- a/csharp/ql/src/experimental/Security Features/CWE-614/Web.config	
+++ /dev/null
@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="utf-8" ?>
-<configuration>
-  <system.web>
-    <authentication>
-      <forms
-        requireSSL="true"
-        ... />
-    </authentication>
-    <httpCookies
-        requireSSL="true"
-        ... />
-  </system.web>
-</configuration>
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/HttpOnly.qlref b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/HttpOnly.qlref
deleted file mode 100644
index 91ce226003c3..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/HttpOnly.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/HttpOnly.expected b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/HttpOnly.expected
deleted file mode 100644
index 968e28976a8a..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/HttpOnly.expected	
+++ /dev/null
@@ -1,4 +0,0 @@
-| Program.cs:25:34:25:38 | false | Cookie attribute 'HttpOnly' is not set to true. |
-| Program.cs:38:88:38:92 | false | Cookie attribute 'HttpOnly' is not set to true. |
-| Program.cs:61:34:61:34 | access to local variable v | Cookie attribute 'HttpOnly' is not set to true. |
-| Program.cs:68:88:68:88 | access to local variable v | Cookie attribute 'HttpOnly' is not set to true. |
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/HttpOnly.qlref b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/HttpOnly.qlref
deleted file mode 100644
index 91ce226003c3..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/HttpOnly.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/HttpOnly.qlref b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/HttpOnly.qlref
deleted file mode 100644
index 91ce226003c3..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/HttpOnly.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/Program.cs b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/Program.cs
deleted file mode 100644
index 60f217eff20e..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/Program.cs	
+++ /dev/null
@@ -1,37 +0,0 @@
-using Microsoft.AspNetCore.Builder;
-using Microsoft.AspNetCore.Hosting;
-using Microsoft.Extensions.DependencyInjection;
-using Microsoft.AspNetCore.Http;
-
-public class MyController : Microsoft.AspNetCore.Mvc.Controller
-{
-    public void CookieDefault()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        cookieOptions.HttpOnly = false;
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: HttpOnly is set in callback
-    }
-}
-
-public class Startup
-{
-    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
-    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
-    {
-        app.UseCookiePolicy();
-    }
-
-    public void ConfigureServices(IServiceCollection services)
-    {
-        services.Configure<CookiePolicyOptions>(options =>
-        {
-            options.OnAppendCookie = cookieContext => SetCookies(cookieContext.CookieOptions);
-        });
-    }
-
-    private void SetCookies(CookieOptions options)
-    {
-        options.Secure = true;
-        options.HttpOnly = true;
-    }
-}
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/options b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/options
deleted file mode 100644
index ce3f295ed117..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/options	
+++ /dev/null
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/HttpOnly.expected b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/HttpOnly.expected
deleted file mode 100644
index 288445958592..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/HttpOnly.expected	
+++ /dev/null
@@ -1,4 +0,0 @@
-| Program.cs:23:27:23:31 | false | Cookie attribute 'HttpOnly' is not set to true. |
-| Program.cs:28:74:28:78 | false | Cookie attribute 'HttpOnly' is not set to true. |
-| Program.cs:48:27:48:27 | access to local variable v | Cookie attribute 'HttpOnly' is not set to true. |
-| Program.cs:54:74:54:74 | access to local variable v | Cookie attribute 'HttpOnly' is not set to true. |
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/HttpOnly.qlref b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/HttpOnly.qlref
deleted file mode 100644
index 91ce226003c3..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/HttpOnly.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/options b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/options
deleted file mode 100644
index 9290f65d5b22..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/options	
+++ /dev/null
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/HttpOnly.expected b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/HttpOnly.expected
deleted file mode 100644
index aac509883026..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/HttpOnly.expected	
+++ /dev/null
@@ -1,2 +0,0 @@
-| Program.cs:5:9:5:49 | call to method Append | Cookie attribute 'HttpOnly' is not set to true. |
-| Program.cs:15:29:15:73 | object creation of type CookieOptions | Cookie attribute 'HttpOnly' is not set to true. |
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/HttpOnly.qlref b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/HttpOnly.qlref
deleted file mode 100644
index 91ce226003c3..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/HttpOnly.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/Program.cs b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/Program.cs
deleted file mode 100644
index 945c5be55dbc..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/NoPolicy/Program.cs	
+++ /dev/null
@@ -1,52 +0,0 @@
-public class MyController : Microsoft.AspNetCore.Mvc.Controller
-{
-    public void CookieDefault()
-    {
-        Response.Cookies.Append("auth", "secret"); // BAD: HttpOnly is set to false by default
-    }
-
-    public void CookieDefaultForgery()
-    {
-        Response.Cookies.Append("antiforgerytoken", "secret"); // GOOD: not an auth cookie
-    }
-
-    public void CookieDefault2()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD: HttpOnly is set to false by default
-    }
-
-    public void CookieDelete()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        Response.Cookies.Delete("auth", cookieOptions); // GOOD: Delete call
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        cookieOptions.HttpOnly = true;
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = true };
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        bool v = true;
-        cookieOptions.HttpOnly = v;
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v };
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
-    }
-}
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/HttpOnly.qlref b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/HttpOnly.qlref
deleted file mode 100644
index 91ce226003c3..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/HttpOnly.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/HttpOnly.qlref b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/HttpOnly.qlref
deleted file mode 100644
index 91ce226003c3..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/HttpOnly.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/HttpOnly.qlref b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/HttpOnly.qlref
deleted file mode 100644
index 91ce226003c3..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/HttpOnly.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/options b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/options
deleted file mode 100644
index ce3f295ed117..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/options	
+++ /dev/null
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/HttpOnly.expected b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/HttpOnly.expected
deleted file mode 100644
index 85b07c94e9e2..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/HttpOnly.expected	
+++ /dev/null
@@ -1 +0,0 @@
-| Program.cs:5:22:5:59 | object creation of type HttpCookie | Cookie attribute 'HttpOnly' is not set to true. |
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/HttpOnly.qlref b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/HttpOnly.qlref
deleted file mode 100644
index 91ce226003c3..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/HttpOnly.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/Program.cs b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/Program.cs
deleted file mode 100644
index bc66b526fa51..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/Program.cs	
+++ /dev/null
@@ -1,36 +0,0 @@
-class Program
-{
-    void CookieDefault()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID"); // BAD: httpOnlyCookies is set to false by default
-    }
-
-    void CookieDefaultForgery()
-    {
-        var cookie = new System.Web.HttpCookie("anticsrftoken"); // GOOD: not an auth cookie
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID");
-        cookie.HttpOnly = true;  // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = true }; // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID");
-        bool v = true;
-        cookie.HttpOnly = v; // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // GOOD: should track local data flow
-    }
-}
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/options b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/options
deleted file mode 100644
index 9d05f9bf06d4..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/options	
+++ /dev/null
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/HttpOnly.expected b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/HttpOnly.expected
deleted file mode 100644
index 85b07c94e9e2..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/HttpOnly.expected	
+++ /dev/null
@@ -1 +0,0 @@
-| Program.cs:5:22:5:59 | object creation of type HttpCookie | Cookie attribute 'HttpOnly' is not set to true. |
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/HttpOnly.qlref b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/HttpOnly.qlref
deleted file mode 100644
index 91ce226003c3..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/HttpOnly.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/Program.cs b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/Program.cs
deleted file mode 100644
index 52ef13373f72..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/Program.cs	
+++ /dev/null
@@ -1,36 +0,0 @@
-class Program
-{
-    void CookieDefault()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID"); // BAD: httpOnlyCookies is set to false in config
-    }
-
-    void CookieDefaultForgery()
-    {
-        var cookie = new System.Web.HttpCookie("anticsrftoken"); // GOOD: not an auth cookie
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID");
-        cookie.HttpOnly = true;  // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = true }; // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID");
-        bool v = true;
-        cookie.HttpOnly = v; // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // GOOD: should track local data flow
-    }
-}
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/Web.config b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/Web.config
deleted file mode 100644
index d6202a55188c..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/Web.config	
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="utf-8" ?>
-<configuration>
-  <system.web>
-    <httpCookies httpOnlyCookies="false" />
-  </system.web>
-</configuration>
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/options b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/options
deleted file mode 100644
index 9d05f9bf06d4..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigFalse/options	
+++ /dev/null
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/HttpOnly.qlref b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/HttpOnly.qlref
deleted file mode 100644
index 91ce226003c3..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/HttpOnly.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/Program.cs b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/Program.cs
deleted file mode 100644
index 6eeb4f6d3343..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/Program.cs	
+++ /dev/null
@@ -1,36 +0,0 @@
-class Program
-{
-    void CookieDefault()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID"); // GOOD: httpOnlyCookies is set to true in config
-    }
-
-    void CookieDefaultForgery()
-    {
-        var cookie = new System.Web.HttpCookie("anticsrftoken"); // GOOD: not an auth cookie
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID");
-        cookie.HttpOnly = true;  // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = true }; // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookie = new System.Web.HttpCookie("sessionID");
-        bool v = true;
-        cookie.HttpOnly = v; // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // GOOD: should track local data flow
-    }
-}
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/Web.config b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/Web.config
deleted file mode 100644
index fc2621492116..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/Web.config	
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="utf-8" ?>
-<configuration>
-  <system.web>
-    <httpCookies httpOnlyCookies="true" />
-  </system.web>
-</configuration>
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/options b/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/options
deleted file mode 100644
index 9d05f9bf06d4..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/options	
+++ /dev/null
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/NoPolicy/Program.cs b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/NoPolicy/Program.cs
deleted file mode 100644
index 9c21416940b2..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/NoPolicy/Program.cs	
+++ /dev/null
@@ -1,47 +0,0 @@
-public class MyController : Microsoft.AspNetCore.Mvc.Controller
-{
-    public void CookieDefault()
-    {
-        Response.Cookies.Append("name", "value"); // BAD: requireSSL is set to false by default
-    }
-
-    public void CookieDefault2()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        Response.Cookies.Append("name", "value", cookieOptions); // BAD: requireSSL is set to false by default
-    }
-
-    public void CookieDelete()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        Response.Cookies.Delete("name", cookieOptions); // GOOD: Delete call
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        cookieOptions.Secure = true;
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = true };
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        bool v = true;
-        cookieOptions.Secure = v;
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = v };
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: should track local data flow
-    }
-}
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/NoPolicy/RequireSSL.expected b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/NoPolicy/RequireSSL.expected
deleted file mode 100644
index f96df31ad21a..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/NoPolicy/RequireSSL.expected	
+++ /dev/null
@@ -1,2 +0,0 @@
-| Program.cs:5:9:5:48 | call to method Append | Cookie attribute 'Secure' is not set to true. |
-| Program.cs:10:29:10:73 | object creation of type CookieOptions | Cookie attribute 'Secure' is not set to true. |
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/NoPolicy/RequireSSL.qlref b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/NoPolicy/RequireSSL.qlref
deleted file mode 100644
index f76146a862b9..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/NoPolicy/RequireSSL.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyAlways/RequireSSL.qlref b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyAlways/RequireSSL.qlref
deleted file mode 100644
index f76146a862b9..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyAlways/RequireSSL.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/RequireSSL.expected b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/RequireSSL.expected
deleted file mode 100644
index e69de29bb2d1..000000000000
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/RequireSSL.qlref b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/RequireSSL.qlref
deleted file mode 100644
index f76146a862b9..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/RequireSSL.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyNone/RequireSSL.qlref b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyNone/RequireSSL.qlref
deleted file mode 100644
index f76146a862b9..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyNone/RequireSSL.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/options b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/options
deleted file mode 100644
index ce3f295ed117..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/options	
+++ /dev/null
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/CookieBuilder/RequireSSL.qlref b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/CookieBuilder/RequireSSL.qlref
deleted file mode 100644
index f76146a862b9..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/CookieBuilder/RequireSSL.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/RequireSSL.expected b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/RequireSSL.expected
deleted file mode 100644
index 7b7bc3439420..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/RequireSSL.expected	
+++ /dev/null
@@ -1,4 +0,0 @@
-| Program.cs:25:32:25:36 | false | Cookie attribute 'Secure' is not set to true. |
-| Program.cs:31:86:31:90 | false | Cookie attribute 'Secure' is not set to true. |
-| Program.cs:54:32:54:32 | access to local variable v | Cookie attribute 'Secure' is not set to true. |
-| Program.cs:61:86:61:86 | access to local variable v | Cookie attribute 'Secure' is not set to true. |
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/RequireSSL.qlref b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/RequireSSL.qlref
deleted file mode 100644
index f76146a862b9..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/RequireSSL.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/Program.cs b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/Program.cs
deleted file mode 100644
index 542b1a298fa7..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/Program.cs	
+++ /dev/null
@@ -1,37 +0,0 @@
-using Microsoft.AspNetCore.Builder;
-using Microsoft.AspNetCore.Hosting;
-using Microsoft.Extensions.DependencyInjection;
-using Microsoft.AspNetCore.Http;
-
-public class MyController : Microsoft.AspNetCore.Mvc.Controller
-{
-    public void CookieDefault()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        cookieOptions.Secure = false;
-        Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: Secure is set in callback
-    }
-}
-
-public class Startup
-{
-    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
-    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
-    {
-        app.UseCookiePolicy();
-    }
-
-    public void ConfigureServices(IServiceCollection services)
-    {
-        services.Configure<CookiePolicyOptions>(options =>
-        {
-            options.OnAppendCookie = cookieContext => SetCookies(cookieContext.CookieOptions);
-        });
-    }
-
-    private void SetCookies(CookieOptions options)
-    {
-        options.Secure = true;
-        options.HttpOnly = true;
-    }
-}
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/RequireSSL.expected b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/RequireSSL.expected
deleted file mode 100644
index e69de29bb2d1..000000000000
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/RequireSSL.qlref b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/RequireSSL.qlref
deleted file mode 100644
index f76146a862b9..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/UseCookiePolicyCallback/RequireSSL.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/options b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/options
deleted file mode 100644
index ce3f295ed117..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/options	
+++ /dev/null
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseSystemWeb/RequireSSL.expected b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseSystemWeb/RequireSSL.expected
deleted file mode 100644
index fb6b5e842e29..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseSystemWeb/RequireSSL.expected	
+++ /dev/null
@@ -1,4 +0,0 @@
-| Program.cs:17:25:17:29 | false | Cookie attribute 'Secure' is not set to true. |
-| Program.cs:22:73:22:77 | false | Cookie attribute 'Secure' is not set to true. |
-| Program.cs:42:25:42:25 | access to local variable v | Cookie attribute 'Secure' is not set to true. |
-| Program.cs:48:73:48:73 | access to local variable v | Cookie attribute 'Secure' is not set to true. |
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseSystemWeb/RequireSSL.qlref b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseSystemWeb/RequireSSL.qlref
deleted file mode 100644
index f76146a862b9..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseSystemWeb/RequireSSL.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseSystemWeb/Web.config b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseSystemWeb/Web.config
deleted file mode 100644
index 96fd10c05b72..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseSystemWeb/Web.config	
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="utf-8" ?>
-<configuration>
-  <system.web>
-    <httpCookies />
-  </system.web>
-</configuration>
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseSystemWeb/options b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseSystemWeb/options
deleted file mode 100644
index 9290f65d5b22..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseSystemWeb/options	
+++ /dev/null
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/Program.cs b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/Program.cs
deleted file mode 100644
index 4011a7d1a63d..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/Program.cs	
+++ /dev/null
@@ -1,31 +0,0 @@
-class Program
-{
-    void CookieDefault()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName"); // BAD: requireSSL is set to false by default
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        cookie.Secure = true;  // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        bool v = true;
-        cookie.Secure = v; // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
-    }
-}
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/RequireSSL.expected b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/RequireSSL.expected
deleted file mode 100644
index 6c224aab89dc..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/RequireSSL.expected	
+++ /dev/null
@@ -1 +0,0 @@
-| Program.cs:5:22:5:60 | object creation of type HttpCookie | Cookie attribute 'Secure' is not set to true. |
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/RequireSSL.qlref b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/RequireSSL.qlref
deleted file mode 100644
index f76146a862b9..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/RequireSSL.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/options b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/options
deleted file mode 100644
index 9d05f9bf06d4..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/options	
+++ /dev/null
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/Program.cs b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/Program.cs
deleted file mode 100644
index 392366a72d27..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/Program.cs	
+++ /dev/null
@@ -1,31 +0,0 @@
-class Program
-{
-    void CookieDefault()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName"); // BAD: requireSSL is set to false in config
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        cookie.Secure = true;  // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        bool v = true;
-        cookie.Secure = v; // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
-    }
-}
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/RequireSSL.expected b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/RequireSSL.expected
deleted file mode 100644
index 6c224aab89dc..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/RequireSSL.expected	
+++ /dev/null
@@ -1 +0,0 @@
-| Program.cs:5:22:5:60 | object creation of type HttpCookie | Cookie attribute 'Secure' is not set to true. |
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/RequireSSL.qlref b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/RequireSSL.qlref
deleted file mode 100644
index f76146a862b9..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/RequireSSL.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/options b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/options
deleted file mode 100644
index 9d05f9bf06d4..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigFalse/options	
+++ /dev/null
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/FormsTrue/Program.cs b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/FormsTrue/Program.cs
deleted file mode 100644
index be53a64ae6ed..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/FormsTrue/Program.cs	
+++ /dev/null
@@ -1,31 +0,0 @@
-class Program
-{
-    void CookieDefault()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName"); // GOOD: requireSSL is set to true in config
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        cookie.Secure = true;  // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        bool v = true;
-        cookie.Secure = v; // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
-    }
-}
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/FormsTrue/RequireSSL.expected b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/FormsTrue/RequireSSL.expected
deleted file mode 100644
index e69de29bb2d1..000000000000
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/FormsTrue/RequireSSL.qlref b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/FormsTrue/RequireSSL.qlref
deleted file mode 100644
index f76146a862b9..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/FormsTrue/RequireSSL.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/FormsTrue/options b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/FormsTrue/options
deleted file mode 100644
index 9d05f9bf06d4..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/FormsTrue/options	
+++ /dev/null
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/Program.cs b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/Program.cs
deleted file mode 100644
index be53a64ae6ed..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/Program.cs	
+++ /dev/null
@@ -1,31 +0,0 @@
-class Program
-{
-    void CookieDefault()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName"); // GOOD: requireSSL is set to true in config
-    }
-
-    void CookieDirectTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        cookie.Secure = true;  // GOOD
-    }
-
-    void CookieDirectTrueInitializer()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
-    }
-
-    void CookieIntermediateTrue()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        bool v = true;
-        cookie.Secure = v; // GOOD: should track local data flow
-    }
-
-    void CookieIntermediateTrueInitializer()
-    {
-        bool v = true;
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
-    }
-}
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/RequireSSL.expected b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/RequireSSL.expected
deleted file mode 100644
index e69de29bb2d1..000000000000
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/RequireSSL.qlref b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/RequireSSL.qlref
deleted file mode 100644
index f76146a862b9..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/RequireSSL.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security Features/CWE-614/CookieWithoutSecure.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/options b/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/options
deleted file mode 100644
index 9d05f9bf06d4..000000000000
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/options	
+++ /dev/null
@@ -1,3 +0,0 @@
-semmle-extractor-options: /nostdlib /noconfig
-semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
-semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/HttpOnly.expected b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/CookieBuilder/CookieWithoutHttpOnly.expected
similarity index 100%
rename from csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/HttpOnly.expected
rename to csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/CookieBuilder/CookieWithoutHttpOnly.expected
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/CookieBuilder/CookieWithoutHttpOnly.qlref b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/CookieBuilder/CookieWithoutHttpOnly.qlref
new file mode 100644
index 000000000000..9cfe2cba2685
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/CookieBuilder/CookieWithoutHttpOnly.qlref	
@@ -0,0 +1,2 @@
+query: Security Features/CWE-1004/CookieWithoutHttpOnly.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/CookieBuilder/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/CookieBuilder/Program.cs
similarity index 77%
rename from csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/CookieBuilder/Program.cs
rename to csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/CookieBuilder/Program.cs
index 4f51bdb5bc5d..ba92978ec496 100644
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/CookieBuilder/Program.cs	
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/CookieBuilder/Program.cs	
@@ -10,14 +10,14 @@ public void ConfigureServices(IServiceCollection services)
     {
         services.AddAuthentication().AddCookie(o =>
         {
-            o.Cookie.HttpOnly = false;
-            o.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None;
+            o.Cookie.HttpOnly = false; // $ Alert
+            o.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None; 
         });
 
         services.AddSession(options =>
         {
-            options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None;
-            options.Cookie.HttpOnly = false;
+            options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None; 
+            options.Cookie.HttpOnly = false; // $ Alert
         });
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/NoPolicy/CookieWithoutHttpOnly.expected b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/NoPolicy/CookieWithoutHttpOnly.expected
new file mode 100644
index 000000000000..1e71f06bfb60
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/NoPolicy/CookieWithoutHttpOnly.expected	
@@ -0,0 +1,4 @@
+| Program.cs:5:9:5:48 | call to method Append | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:10:29:10:73 | object creation of type CookieOptions | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:42:29:42:73 | object creation of type CookieOptions | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:49:29:49:94 | object creation of type CookieOptions | Cookie attribute 'HttpOnly' is not set to true. |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/NoPolicy/CookieWithoutHttpOnly.qlref b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/NoPolicy/CookieWithoutHttpOnly.qlref
new file mode 100644
index 000000000000..9cfe2cba2685
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/NoPolicy/CookieWithoutHttpOnly.qlref	
@@ -0,0 +1,2 @@
+query: Security Features/CWE-1004/CookieWithoutHttpOnly.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/NoPolicy/Program.cs
similarity index 80%
rename from csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/Program.cs
rename to csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/NoPolicy/Program.cs
index 6f12958fba74..4df46f20c8c8 100644
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/NoPolicy/Program.cs	
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/NoPolicy/Program.cs	
@@ -1,11 +1,29 @@
 public class MyController : Microsoft.AspNetCore.Mvc.Controller
 {
+    public void CookieDefault()
+    {
+        Response.Cookies.Append("auth", "value"); // $Alert // BAD: HttpOnly is set to false by default
+    }
+
+    public void CookieDefault2()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert 
+        Response.Cookies.Append("auth", "value", cookieOptions); // BAD: HttpOnly is set to false by default
+    }
+
     public void CookieDelete()
     {
         var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
         Response.Cookies.Delete("auth", cookieOptions); // GOOD: Delete call
     }
 
+    void CookieDirectFalseForgery()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        cookieOptions.HttpOnly = false;
+        Response.Cookies.Append("antiforgerytoken", "secret", cookieOptions); // GOOD: not an auth cookie
+    }
+
     void CookieDirectTrue()
     {
         var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
@@ -21,21 +39,14 @@ void CookieDirectTrueInitializer()
 
     void CookieDirectFalse()
     {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert 
         cookieOptions.HttpOnly = false;
         Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
     }
 
-    void CookieDirectFalseForgery()
-    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
-        cookieOptions.HttpOnly = false;
-        Response.Cookies.Append("antiforgerytoken", "secret", cookieOptions); // GOOD: not an auth cookie
-    }
-
     void CookieDirectFalseInitializer()
     {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = false };
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = false }; // $Alert 
         Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
     }
 
@@ -56,16 +67,16 @@ void CookieIntermediateTrueInitializer()
 
     void CookieIntermediateFalse()
     {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $MISSING:Alert
         bool v = false;
         cookieOptions.HttpOnly = v;
-        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected
     }
 
     void CookieIntermediateFalseInitializer()
     {
         bool v = false;
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v };
-        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v }; // $MISSING:Alert 
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected
     }
 }
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/HttpOnly.expected b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyAlways/CookieWithoutHttpOnly.expected
similarity index 100%
rename from csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/UseCookiePolicyCallback/HttpOnly.expected
rename to csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyAlways/CookieWithoutHttpOnly.expected
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyAlways/CookieWithoutHttpOnly.qlref b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyAlways/CookieWithoutHttpOnly.qlref
new file mode 100644
index 000000000000..9cfe2cba2685
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyAlways/CookieWithoutHttpOnly.qlref	
@@ -0,0 +1,2 @@
+query: Security Features/CWE-1004/CookieWithoutHttpOnly.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyAlways/Program.cs
similarity index 92%
rename from csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/Program.cs
rename to csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyAlways/Program.cs
index 115f448a39b4..cdb8a9081d1b 100644
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/Program.cs	
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyAlways/Program.cs	
@@ -20,6 +20,6 @@ public class Startup
     // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
     public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
     {
-        app.UseCookiePolicy(new CookiePolicyOptions() { HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always});
+        app.UseCookiePolicy(new CookiePolicyOptions() { HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always });
     }
 }
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/HttpOnly.expected b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyCallback/CookieWithoutHttpOnly.expected
similarity index 100%
rename from csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyAlways/HttpOnly.expected
rename to csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyCallback/CookieWithoutHttpOnly.expected
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyCallback/CookieWithoutHttpOnly.qlref b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyCallback/CookieWithoutHttpOnly.qlref
new file mode 100644
index 000000000000..9cfe2cba2685
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyCallback/CookieWithoutHttpOnly.qlref	
@@ -0,0 +1,2 @@
+query: Security Features/CWE-1004/CookieWithoutHttpOnly.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyCallback/Program.cs
similarity index 88%
rename from csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/Program.cs
rename to csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyCallback/Program.cs
index 417b1f77277c..6d44521e85f8 100644
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/Program.cs	
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyCallback/Program.cs	
@@ -6,6 +6,11 @@
 public class MyController : Microsoft.AspNetCore.Mvc.Controller
 {
     public void CookieDefault()
+    {
+        Response.Cookies.Append("auth", "secret"); // GOOD: HttpOnly is set in callback
+    }
+
+    public void CookieDefault2()
     {
         var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
         Response.Cookies.Append("auth", "secret", cookieOptions); // GOOD: HttpOnly is set in callback
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/HttpOnly.expected b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyNone/CookieWithoutHttpOnly.expected
similarity index 100%
rename from csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/HttpOnly.expected
rename to csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyNone/CookieWithoutHttpOnly.expected
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyNone/CookieWithoutHttpOnly.qlref b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyNone/CookieWithoutHttpOnly.qlref
new file mode 100644
index 000000000000..9cfe2cba2685
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyNone/CookieWithoutHttpOnly.qlref	
@@ -0,0 +1,2 @@
+query: Security Features/CWE-1004/CookieWithoutHttpOnly.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyNone/Program.cs
similarity index 85%
rename from csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/Program.cs
rename to csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyNone/Program.cs
index 7be845aadfea..187a02e71dc1 100644
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyNone/Program.cs	
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/PolicyNone/Program.cs	
@@ -5,12 +5,12 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller
 {
     public void CookieDefault()
     {
-        Response.Cookies.Append("auth", "secret"); // Bad: HttpOnly policy set to None
+        Response.Cookies.Append("auth", "secret"); // $ Alert // Bad: HttpOnly policy set to None
     }
 
     public void CookieDefault2()
     {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert 
         Response.Cookies.Append("auth", "secret", cookieOptions); // Bad: HttpOnly policy set to None
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/options b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/options
new file mode 100644
index 000000000000..3282ecf48f65
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/options	
@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesFalse/CookieWithoutHttpOnly.expected b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesFalse/CookieWithoutHttpOnly.expected
new file mode 100644
index 000000000000..3a3d027e1f92
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesFalse/CookieWithoutHttpOnly.expected	
@@ -0,0 +1,3 @@
+| Program.cs:16:22:16:59 | object creation of type HttpCookie | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:32:22:32:59 | object creation of type HttpCookie | Cookie attribute 'HttpOnly' is not set to true. |
+| Program.cs:38:22:38:80 | object creation of type HttpCookie | Cookie attribute 'HttpOnly' is not set to true. |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesFalse/CookieWithoutHttpOnly.qlref b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesFalse/CookieWithoutHttpOnly.qlref
new file mode 100644
index 000000000000..9cfe2cba2685
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesFalse/CookieWithoutHttpOnly.qlref	
@@ -0,0 +1,2 @@
+query: Security Features/CWE-1004/CookieWithoutHttpOnly.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesFalse/Program.cs
similarity index 71%
rename from csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/Program.cs
rename to csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesFalse/Program.cs
index 6ab389f63cce..3e63963712f0 100644
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/Program.cs	
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesFalse/Program.cs	
@@ -11,6 +11,16 @@ void CookieDirectTrueInitializer()
         var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = true }; // GOOD
     }
 
+    void CookieDefault()
+    {
+        var cookie = new System.Web.HttpCookie("sessionID"); // $Alert // BAD: httpOnlyCookies is set to false by default
+    }
+
+    void CookieDefaultForgery()
+    {
+        var cookie = new System.Web.HttpCookie("anticsrftoken"); // GOOD: not an auth cookie
+    }
+
     void CookieForgeryDirectFalse()
     {
         var cookie = new System.Web.HttpCookie("antiforgerytoken");
@@ -19,13 +29,13 @@ void CookieForgeryDirectFalse()
 
     void CookieDirectFalse()
     {
-        var cookie = new System.Web.HttpCookie("sessionID");
+        var cookie = new System.Web.HttpCookie("sessionID"); // $Alert 
         cookie.HttpOnly = false; // BAD
     }
 
     void CookieDirectFalseInitializer()
     {
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = false }; // BAD
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = false };  // $Alert // BAD
     }
 
     void CookieIntermediateTrue()
@@ -43,7 +53,7 @@ void CookieIntermediateTrueInitializer()
 
     void CookieIntermediateFalse()
     {
-        var cookie = new System.Web.HttpCookie("sessionID");
+        var cookie = new System.Web.HttpCookie("sessionID"); // MISSING:Alert 
         bool v = false;
         cookie.HttpOnly = v; // BAD
     }
@@ -51,6 +61,6 @@ void CookieIntermediateFalse()
     void CookieIntermediateFalseInitializer()
     {
         bool v = false;
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // BAD
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v };  // $MISSING:Alert // BAD
     }
 }
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesFalse/Web.config
similarity index 100%
rename from csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb/Web.config
rename to csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesFalse/Web.config
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/HttpOnly.expected b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesTrue/CookieWithoutHttpOnly.expected
similarity index 100%
rename from csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore/UseCookiePolicyCallback/HttpOnly.expected
rename to csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesTrue/CookieWithoutHttpOnly.expected
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesTrue/CookieWithoutHttpOnly.qlref b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesTrue/CookieWithoutHttpOnly.qlref
new file mode 100644
index 000000000000..9cfe2cba2685
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesTrue/CookieWithoutHttpOnly.qlref	
@@ -0,0 +1,2 @@
+query: Security Features/CWE-1004/CookieWithoutHttpOnly.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesTrue/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesTrue/Program.cs
new file mode 100644
index 000000000000..cd60e4df262d
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesTrue/Program.cs	
@@ -0,0 +1,7 @@
+class Program
+{
+    void CookieDefault()
+    {
+        var cookie = new System.Web.HttpCookie("auth"); // GOOD: httpOnlyCookies is set to true in config
+    }
+}
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesTrue/Web.config
similarity index 71%
rename from csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/Web.config
rename to csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesTrue/Web.config
index 96fd10c05b72..8bb37742741a 100644
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/ConfigEmpty/Web.config	
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesTrue/Web.config	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8" ?>
 <configuration>
   <system.web>
-    <httpCookies />
+    <httpCookies httpOnlyCookies="true"/>
   </system.web>
 </configuration>
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/options b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/options
new file mode 100644
index 000000000000..9414f8d8ef89
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/options	
@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: ${testdir}/../../../../../../resources/stubs/System.Web.cs
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/CookieBuilder/RequireSSL.expected b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/CookieBuilder/CookieWithoutSecure.expected
similarity index 100%
rename from csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/CookieBuilder/RequireSSL.expected
rename to csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/CookieBuilder/CookieWithoutSecure.expected
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/CookieBuilder/CookieWithoutSecure.qlref b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/CookieBuilder/CookieWithoutSecure.qlref
new file mode 100644
index 000000000000..bb0094e7d8fc
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/CookieBuilder/CookieWithoutSecure.qlref	
@@ -0,0 +1,2 @@
+query: Security Features/CWE-614/CookieWithoutSecure.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/CookieBuilder/Program.cs
similarity index 89%
rename from csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/Program.cs
rename to csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/CookieBuilder/Program.cs
index 4f51bdb5bc5d..245c693f513f 100644
--- a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore/CookieBuilder/Program.cs	
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/CookieBuilder/Program.cs	
@@ -11,12 +11,12 @@ public void ConfigureServices(IServiceCollection services)
         services.AddAuthentication().AddCookie(o =>
         {
             o.Cookie.HttpOnly = false;
-            o.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None;
+            o.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None; // $ Alert
         });
 
         services.AddSession(options =>
         {
-            options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None;
+            options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None; // $ Alert
             options.Cookie.HttpOnly = false;
         });
     }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/NoPolicy/CookieWithoutSecure.expected b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/NoPolicy/CookieWithoutSecure.expected
new file mode 100644
index 000000000000..4c2bbcca1cae
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/NoPolicy/CookieWithoutSecure.expected	
@@ -0,0 +1,4 @@
+| Program.cs:5:9:5:48 | call to method Append | Cookie attribute 'Secure' is not set to true. |
+| Program.cs:10:29:10:73 | object creation of type CookieOptions | Cookie attribute 'Secure' is not set to true. |
+| Program.cs:35:29:35:73 | object creation of type CookieOptions | Cookie attribute 'Secure' is not set to true. |
+| Program.cs:42:29:42:92 | object creation of type CookieOptions | Cookie attribute 'Secure' is not set to true. |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/NoPolicy/CookieWithoutSecure.qlref b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/NoPolicy/CookieWithoutSecure.qlref
new file mode 100644
index 000000000000..bb0094e7d8fc
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/NoPolicy/CookieWithoutSecure.qlref	
@@ -0,0 +1,2 @@
+query: Security Features/CWE-614/CookieWithoutSecure.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/NoPolicy/Program.cs
similarity index 78%
rename from csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/Program.cs
rename to csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/NoPolicy/Program.cs
index b1ad1aede91e..733e2d71fcc0 100644
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseAspNetCore/NoPolicy/Program.cs	
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/NoPolicy/Program.cs	
@@ -1,5 +1,16 @@
 public class MyController : Microsoft.AspNetCore.Mvc.Controller
 {
+    public void CookieDefault()
+    {
+        Response.Cookies.Append("name", "value"); // $Alert // BAD: Secure is set to false by default
+    }
+
+    public void CookieDefault2()
+    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert 
+        Response.Cookies.Append("name", "value", cookieOptions); // BAD: Secure is set to false by default
+    }
+
     public void CookieDelete()
     {
         var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
@@ -21,14 +32,14 @@ void CookieDirectTrueInitializer()
 
     void CookieDirectFalse()
     {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert 
         cookieOptions.Secure = false;
         Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
     }
 
     void CookieDirectFalseInitializer()
     {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = false };
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = false }; // $Alert 
         Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
     }
 
@@ -49,16 +60,16 @@ void CookieIntermediateTrueInitializer()
 
     void CookieIntermediateFalse()
     {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $MISSING:Alert
         bool v = false;
         cookieOptions.Secure = v;
-        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected
     }
 
     void CookieIntermediateFalseInitializer()
     {
         bool v = false;
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = v };
-        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = v }; // $MISSING:Alert 
+        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyAlways/CookieWithoutSecure.expected b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyAlways/CookieWithoutSecure.expected
new file mode 100644
index 000000000000..8b137891791f
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyAlways/CookieWithoutSecure.expected	
@@ -0,0 +1 @@
+
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyAlways/CookieWithoutSecure.qlref b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyAlways/CookieWithoutSecure.qlref
new file mode 100644
index 000000000000..bb0094e7d8fc
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyAlways/CookieWithoutSecure.qlref	
@@ -0,0 +1,2 @@
+query: Security Features/CWE-614/CookieWithoutSecure.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyAlways/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyAlways/Program.cs
similarity index 100%
rename from csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyAlways/Program.cs
rename to csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyAlways/Program.cs
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyCallback/CookieWithoutSecure.expected b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyCallback/CookieWithoutSecure.expected
new file mode 100644
index 000000000000..8b137891791f
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyCallback/CookieWithoutSecure.expected	
@@ -0,0 +1 @@
+
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyCallback/CookieWithoutSecure.qlref b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyCallback/CookieWithoutSecure.qlref
new file mode 100644
index 000000000000..bb0094e7d8fc
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyCallback/CookieWithoutSecure.qlref	
@@ -0,0 +1,2 @@
+query: Security Features/CWE-614/CookieWithoutSecure.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyCallback/Program.cs
similarity index 100%
rename from csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyCallback/Program.cs
rename to csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyCallback/Program.cs
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyNone/RequireSSL.expected b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyNone/CookieWithoutSecure.expected
similarity index 100%
rename from csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyNone/RequireSSL.expected
rename to csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyNone/CookieWithoutSecure.expected
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyNone/CookieWithoutSecure.qlref b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyNone/CookieWithoutSecure.qlref
new file mode 100644
index 000000000000..bb0094e7d8fc
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyNone/CookieWithoutSecure.qlref	
@@ -0,0 +1,2 @@
+query: Security Features/CWE-614/CookieWithoutSecure.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyNone/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyNone/Program.cs
similarity index 86%
rename from csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyNone/Program.cs
rename to csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyNone/Program.cs
index 9db1f5380d49..989412e3d02c 100644
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyNone/Program.cs	
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/PolicyNone/Program.cs	
@@ -5,12 +5,12 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller
 {
     public void CookieDefault()
     {
-        Response.Cookies.Append("auth", "secret"); // Bad: Secure policy set to None
+        Response.Cookies.Append("auth", "secret"); // $ Alert // Bad: Secure policy set to None
     }
 
     public void CookieDefault2()
     {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions();
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert 
         Response.Cookies.Append("auth", "secret", cookieOptions); // Bad: Secure policy set to None
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/options b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/options
new file mode 100644
index 000000000000..3282ecf48f65
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/options	
@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/CookieWithoutSecure.expected b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/CookieWithoutSecure.expected
new file mode 100644
index 000000000000..4ef56f10d559
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/CookieWithoutSecure.expected	
@@ -0,0 +1,3 @@
+| Program.cs:5:22:5:60 | object creation of type HttpCookie | Cookie attribute 'Secure' is not set to true. |
+| Program.cs:34:22:34:60 | object creation of type HttpCookie | Cookie attribute 'Secure' is not set to true. |
+| Program.cs:40:22:40:79 | object creation of type HttpCookie | Cookie attribute 'Secure' is not set to true. |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/CookieWithoutSecure.qlref b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/CookieWithoutSecure.qlref
new file mode 100644
index 000000000000..bb0094e7d8fc
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/CookieWithoutSecure.qlref	
@@ -0,0 +1,2 @@
+query: Security Features/CWE-614/CookieWithoutSecure.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseSystemWeb/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/Program.cs
similarity index 68%
rename from csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseSystemWeb/Program.cs
rename to csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/Program.cs
index 3a6d80b50c9d..250b1f7780e6 100644
--- a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLFalseSystemWeb/Program.cs	
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/Program.cs	
@@ -1,5 +1,10 @@
 class Program
 {
+    void CookieDefault()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName"); // $Alert // BAD: requireSSL is set to false by default
+    }
+
     void CookieDirectTrue()
     {
         var cookie = new System.Web.HttpCookie("cookieName");
@@ -11,17 +16,6 @@ void CookieDirectTrueInitializer()
         var cookie = new System.Web.HttpCookie("cookieName") { Secure = true }; // GOOD
     }
 
-    void CookieDirectFalse()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName");
-        cookie.Secure = false; // BAD
-    }
-
-    void CookieDirectFalseInitializer()
-    {
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = false }; // BAD
-    }
-
     void CookieIntermediateTrue()
     {
         var cookie = new System.Web.HttpCookie("cookieName");
@@ -35,16 +29,27 @@ void CookieIntermediateTrueInitializer()
         var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // GOOD: should track local data flow
     }
 
-    void CookieIntermediateFalse()
+    void CookieDirectFalse()
     {
-        var cookie = new System.Web.HttpCookie("cookieName");
+        var cookie = new System.Web.HttpCookie("cookieName"); // $Alert 
+        cookie.Secure = false; // BAD
+    }
+
+    void CookieDirectFalseInitializer()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = false }; // $Alert // BAD
+    }
+
+        void CookieIntermediateFalse()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName"); // $MISSING:Alert
         bool v = false;
-        cookie.Secure = v; // BAD
+        cookie.Secure = v; // BAD, but not detected
     }
 
     void CookieIntermediateFalseInitializer()
     {
         bool v = false;
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // BAD
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // $MISSING:Alert // BAD, but not detected
     }
 }
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/Web.config
similarity index 100%
rename from csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/ConfigEmpty/Web.config
rename to csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/Web.config
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/options b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/options
new file mode 100644
index 000000000000..9414f8d8ef89
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/options	
@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: ${testdir}/../../../../../../resources/stubs/System.Web.cs
diff --git a/csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/HttpOnly.expected b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/FormsTrue/CookieWithoutSecure.expected
similarity index 100%
rename from csharp/ql/test/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb/HttpCookiesTrue/HttpOnly.expected
rename to csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/FormsTrue/CookieWithoutSecure.expected
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/FormsTrue/CookieWithoutSecure.qlref b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/FormsTrue/CookieWithoutSecure.qlref
new file mode 100644
index 000000000000..bb0094e7d8fc
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/FormsTrue/CookieWithoutSecure.qlref	
@@ -0,0 +1,2 @@
+query: Security Features/CWE-614/CookieWithoutSecure.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/FormsTrue/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/FormsTrue/Program.cs
new file mode 100644
index 000000000000..8f2c4cce0a4e
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/FormsTrue/Program.cs	
@@ -0,0 +1,7 @@
+class Program
+{
+    void CookieDefault()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName"); // GOOD: requireSSL is set to true in config
+    }
+}
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/FormsTrue/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/FormsTrue/Web.config
similarity index 100%
rename from csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/FormsTrue/Web.config
rename to csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/FormsTrue/Web.config
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyAlways/RequireSSL.expected b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/HttpCookiesTrue/CookieWithoutSecure.expected
similarity index 100%
rename from csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLAspNetCore/UseCookiePolicyAlways/RequireSSL.expected
rename to csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/HttpCookiesTrue/CookieWithoutSecure.expected
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/HttpCookiesTrue/CookieWithoutSecure.qlref b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/HttpCookiesTrue/CookieWithoutSecure.qlref
new file mode 100644
index 000000000000..bb0094e7d8fc
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/HttpCookiesTrue/CookieWithoutSecure.qlref	
@@ -0,0 +1,2 @@
+query: Security Features/CWE-614/CookieWithoutSecure.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/HttpCookiesTrue/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/HttpCookiesTrue/Program.cs
new file mode 100644
index 000000000000..8f2c4cce0a4e
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/HttpCookiesTrue/Program.cs	
@@ -0,0 +1,7 @@
+class Program
+{
+    void CookieDefault()
+    {
+        var cookie = new System.Web.HttpCookie("cookieName"); // GOOD: requireSSL is set to true in config
+    }
+}
diff --git a/csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/HttpCookiesTrue/Web.config
similarity index 100%
rename from csharp/ql/test/experimental/Security Features/CWE-614/RequireSSLSystemWeb/HttpCookiesTrue/Web.config
rename to csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/HttpCookiesTrue/Web.config
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/options b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/options
new file mode 100644
index 000000000000..488c2bc3705f
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLTrue/options	
@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: ${testdir}/../../../../../../../resources/stubs/System.Web.cs