It's right in the setcookie() documentation. Set parameter #6 to TRUE
:
@setcookie( $_name, $value, $expires, $_path, $_domain, TRUE, TRUE );
^-#6 secure
^-#7 httponly