In fact, this is not so ... Flags are present only in the Set-Cookie header (response).
When the client (browser) receives the Set-Cookie header, it will store the flags along with the cookie value, but only for its own use (so that the browser itself can know when and where to send the cookie if necessary).
A Cookie header (request) cannot contain flags; this is just a list of <cookie-name>=<cookie-value> pairs, and when you (the server) receive them, you are not even guaranteed to set them yourself.
This is because any application under the same domain name can set cookies for this domain. For example, an application running on example.com/foo might set cookies for example.com/bar or even another.example.com.
However, by eliminating the possibility of really terrible errors in the browser, you can be sure that if you set the "safe" flag for cookies in your response, the receiving browser will not send it over an unencrypted connection. <w> This is not really 100% guaranteed, but it is really the only option you have, and almost the entire network relies on browsers that behave correctly, so you are not alone in this.
Unfortunately, this is how cookies work. Read the official standard for them here if you are interested in learning more about them.