Cookie Security Flags

Cookie Security Flags are attributes that control how browsers handle cookies, protecting against common attacks like session hijacking, XSS, and CSRF.

Security Attributes

HttpOnly

Set-Cookie: sessionid=abc123; HttpOnly

Prevents JavaScript access to the cookie.
document.cookie will not include HttpOnly cookies.
Protects against XSS-based cookie theft.

Secure

Set-Cookie: sessionid=abc123; Secure

Cookie only sent over HTTPS connections.
Prevents exposure over unencrypted HTTP.
Always use for sensitive cookies.

SameSite

Set-Cookie: sessionid=abc123; SameSite=Strict
Set-Cookie: sessionid=abc123; SameSite=Lax
Set-Cookie: sessionid=abc123; SameSite=None; Secure

Strict: Only same-site requests
Lax: Same-site + top-level navigation (default)
None: All requests (requires Secure)

Domain and Path

Set-Cookie: sessionid=abc123; Domain=example.com; Path=/app

Domain: Which domains receive the cookie
Path: URL path scope for the cookie

Recommended Configuration

# Session cookie
Set-Cookie: sessionid=abc123; HttpOnly; Secure; SameSite=Lax; Path=/

# CSRF token cookie (needs JS access)
Set-Cookie: csrftoken=xyz789; Secure; SameSite=Strict; Path=/

Common Mistakes

• Missing HttpOnly on session cookies
• Missing Secure flag (cookies sent over HTTP)
• SameSite=None without Secure
• Overly broad Domain scope

See Also

• Session Hijacking
• Cross-Site Request Forgery
• Reflected XSS