I am using play 2.1.0. I want to set a secure flag for request headers. I tried using application.session.cookie.secure=true in application.conf with https host. But still the security flag is not set in header.

Did not find much on internet.

I don't have a link to accompanying Play documentation to hand, but the configuration property you're looking for is:

session.secure=true

You can take a look in the source on the 2.1.x branch to see how Play uses this property.