diff --git a/python/ql/test/experimental/query-tests/Security/CWE-614/InsecureCookie.qlref b/python/ql/test/experimental/query-tests/Security/CWE-614/InsecureCookie.qlref
new file mode 100644
index 00000000000..378d5dcae1a
--- /dev/null
+++ b/python/ql/test/experimental/query-tests/Security/CWE-614/InsecureCookie.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-614/InsecureCookie.ql
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-614/django_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-614/django_bad.py
new file mode 100644
index 00000000000..877231f8f14
--- /dev/null
+++ b/python/ql/test/experimental/query-tests/Security/CWE-614/django_bad.py
@@ -0,0 +1,13 @@
+import django.http
+
+
+def django_response(request):
+    resp = django.http.HttpResponse()
+    resp.set_cookie("name", "value", secure=None)
+    return resp
+
+
+def django_response(request):
+    resp = django.http.HttpResponse()
+    resp.set_cookie("name", "value")
+    return resp
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-614/django_good.py b/python/ql/test/experimental/query-tests/Security/CWE-614/django_good.py
new file mode 100644
index 00000000000..ebf16236de2
--- /dev/null
+++ b/python/ql/test/experimental/query-tests/Security/CWE-614/django_good.py
@@ -0,0 +1,19 @@
+import django.http
+
+
+def django_response(request):
+    resp = django.http.HttpResponse()
+    resp['Set-Cookie'] = "name=value; Secure;"
+    return resp
+
+
+def django_response(request):
+    resp = django.http.HttpResponse()
+    resp.set_cookie("name", "value", secure=True)
+    return resp
+
+
+def indeterminate(secure):
+    resp = django.http.HttpResponse()
+    resp.set_cookie("name", "value", secure)
+    return resp
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-614/flask_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-614/flask_bad.py
new file mode 100644
index 00000000000..7c7d6e8acd0
--- /dev/null
+++ b/python/ql/test/experimental/query-tests/Security/CWE-614/flask_bad.py
@@ -0,0 +1,34 @@
+from flask import Flask, request, make_response, Response
+
+app = Flask(__name__)
+
+
+@app.route("/false")
+def false():
+    resp = make_response()
+    resp.set_cookie("name", value="value", secure=False)
+    return resp
+
+
+@app.route("/none")
+def none():
+    resp = make_response()
+    resp.set_cookie("name", value="value", secure=None)
+    return resp
+
+
+@app.route("/flask_Response")
+def flask_Response():
+    resp = Response()
+    resp.headers['Set-Cookie'] = "name=value;"
+    return resp
+
+
+@app.route("/flask_make_response")
+def flask_make_response():
+    resp = make_response("hello")
+    resp.headers['Set-Cookie'] = "name=value;"
+    return resp
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-614/flask_good.py b/python/ql/test/experimental/query-tests/Security/CWE-614/flask_good.py
new file mode 100644
index 00000000000..05ee3f28657
--- /dev/null
+++ b/python/ql/test/experimental/query-tests/Security/CWE-614/flask_good.py
@@ -0,0 +1,34 @@
+from flask import Flask, request, make_response, Response
+
+app = Flask(__name__)
+
+
+@app.route("/true")
+def true():
+    resp = make_response()
+    resp.set_cookie("name", value="value", secure=True)
+    return resp
+
+
+@app.route("/flask_Response")
+def flask_Response():
+    resp = Response()
+    resp.headers['Set-Cookie'] = "name=value; Secure;"
+    return resp
+
+
+@app.route("/flask_make_response")
+def flask_make_response():
+    resp = make_response("hello")
+    resp.headers['Set-Cookie'] = "name=value; Secure;"
+    return resp
+
+
+def indeterminate(secure):
+    resp = make_response()
+    resp.set_cookie("name", value="value", secure=secure)
+    return resp
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)