Security Glossary

Cookie Security Flags

Cookie attributes (HttpOnly, Secure, SameSite) that control browser handling, protecting against session hijacking, XSS, and CSRF attacks.

Cookie Security Flags are attributes that control how browsers handle cookies, protecting against common attacks like session hijacking, XSS, and CSRF.

Security Attributes

HttpOnly

Set-Cookie: sessionid=abc123; HttpOnly

Prevents JavaScript access to the cookie.
document.cookie will not include HttpOnly cookies.
Protects against XSS-based cookie theft.

Secure

Set-Cookie: sessionid=abc123; Secure

Cookie only sent over HTTPS connections.
Prevents exposure over unencrypted HTTP.
Always use for sensitive cookies.

SameSite

Set-Cookie: sessionid=abc123; SameSite=Strict
Set-Cookie: sessionid=abc123; SameSite=Lax
Set-Cookie: sessionid=abc123; SameSite=None; Secure

Strict: Only same-site requests
Lax: Same-site + top-level navigation (default)
None: All requests (requires Secure)

Domain and Path

Set-Cookie: sessionid=abc123; Domain=example.com; Path=/app

Domain: Which domains receive the cookie
Path: URL path scope for the cookie

Recommended Configuration

# Session cookie
Set-Cookie: sessionid=abc123; HttpOnly; Secure; SameSite=Lax; Path=/

# CSRF token cookie (needs JS access)
Set-Cookie: csrftoken=xyz789; Secure; SameSite=Strict; Path=/

Common Mistakes

  • Missing HttpOnly on session cookies
  • Missing Secure flag (cookies sent over HTTP)
  • SameSite=None without Secure
  • Overly broad Domain scope

See Also