CookiesCSRFSession Security

Cookie Security: SameSite, Secure, and HttpOnly Flags Explained

WebSentry Team
· · 7 min read

Why Cookie Security Matters

Cookies store sensitive data like session tokens, authentication state, and user preferences. Improperly configured cookies are a primary target for attackers, enabling session hijacking, cross-site request forgery (CSRF), and data theft.

The Three Essential Cookie Flags

1. HttpOnly

The HttpOnly flag prevents JavaScript from accessing the cookie. This is critical for session cookies because it blocks XSS attacks from stealing session tokens.

Set-Cookie: sessionId=abc123; HttpOnly

Without HttpOnly: An XSS vulnerability lets an attacker run document.cookie and steal your session token, impersonating the logged-in user.

With HttpOnly: Even if XSS exists, the cookie is invisible to JavaScript. The attack surface is dramatically reduced.

2. Secure

The Secure flag ensures the cookie is only sent over HTTPS connections, never HTTP. This prevents cookie interception on insecure networks (like public Wi-Fi).

Set-Cookie: sessionId=abc123; Secure

Every session cookie must have the Secure flag. Without it, an attacker can intercept cookies by forcing an HTTP connection.

3. SameSite

The SameSite attribute controls whether cookies are sent with cross-origin requests, providing built-in CSRF protection.

Set-Cookie: sessionId=abc123; SameSite=Lax

There are three values:

  • Strict — Cookie is never sent on cross-site requests. Most secure, but can break legitimate flows like clicking a link from email
  • Lax — Cookie is sent on top-level navigations (clicking a link) but not on cross-site POST requests, form submissions, or iframes. Best balance of security and usability
  • None — Cookie is always sent cross-site. Requires the Secure flag. Only use for intentionally cross-site cookies (embedded widgets, SSO)

The Perfect Cookie Configuration

For session cookies, use all three flags plus a reasonable expiration:

Set-Cookie: session=token123; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=604800

This cookie is:

  • Invisible to JavaScript (HttpOnly)
  • Only sent over HTTPS (Secure)
  • Protected against CSRF (SameSite=Lax)
  • Scoped to the root path
  • Expires in 7 days

Common Cookie Mistakes

  • No HttpOnly on session cookies — #1 most common cookie vulnerability
  • No Secure flag with HTTPS — Your HTTPS site is sending cookies over HTTP
  • SameSite=None without Secure — Modern browsers reject this combination
  • Overly broad Path or Domain — Scope cookies as narrowly as possible
  • No expiration — Session cookies that live forever increase the attack window

Testing Your Cookie Security

WebSentry checks your cookie configuration as part of every security scan. It flags cookies missing HttpOnly, Secure, or SameSite attributes and provides specific remediation guidance.

Check Your Website's Security

Run a free security scan and get your A-F grade in seconds.

Scan Your Site Free
← Previous
HTTP vs HTTPS: Why SSL Certificates Matter for SEO in 2026
Next →
X-Frame-Options vs CSP frame-ancestors: Which Should You Use?