SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
medium Headers

Cookie Security

Cookies store session tokens, authentication credentials, and user preferences. Insecure cookie configuration allows attackers to steal these through XSS attacks, intercept them over HTTP, or use them in cross-site request forgery (CSRF) attacks. Three flags — Secure, HttpOnly, and SameSite — are the primary defences.

What SecurityStatus Checks

  • Whether session and authentication cookies have the Secure flag (HTTPS only)
  • Whether sensitive cookies have the HttpOnly flag (prevents JavaScript access)
  • Whether cookies have the SameSite attribute set (Strict, Lax, or None)
  • Whether cookies with SameSite=None also have the Secure flag (required by browsers)

Why This Matters

A cookie without HttpOnly can be stolen by JavaScript injected via an XSS vulnerability. A cookie without Secure can be transmitted over HTTP, allowing interception. SameSite=None without Secure is rejected by modern browsers. These flag misconfigurations are frequently exploited in session hijacking attacks.

How to Fix It

  1. 1

    Set the Secure flag on all sensitive cookies

    In your application code, add the Secure attribute when setting cookies. In PHP: `setcookie('session', $value, ['secure' => true, 'httponly' => true, 'samesite' => 'Lax'])`. In Express.js: `{ secure: true, httpOnly: true, sameSite: 'lax' }`.

  2. 2

    Set HttpOnly on all session cookies

    Never set HttpOnly=false on authentication or session cookies. There is almost no legitimate reason for JavaScript to read session cookie values.

  3. 3

    Set SameSite appropriately

    Use SameSite=Strict for maximum CSRF protection (breaks cross-site navigation). Use SameSite=Lax for a good balance — blocks CSRF from POST requests while allowing GET navigation. Use SameSite=None only for cross-site use cases like embedded widgets (requires Secure).

  4. 4

    Scope cookies correctly

    Set the Domain and Path attributes to the narrowest scope needed. Avoid setting Domain=.yourdomain.com unless you specifically need cookie sharing across all subdomains.

Frequently Asked Questions

What is the difference between HttpOnly and Secure?
HttpOnly prevents JavaScript from reading the cookie — it protects against XSS theft. Secure ensures the cookie is only sent over HTTPS connections — it protects against network interception. Use both.
Does SameSite=Lax break OAuth flows?
Some OAuth flows require cross-site cookie sending. If using SameSite=Strict and OAuth breaks, switch to Lax. If using a separate state cookie for OAuth, you may need SameSite=None; Secure for that specific cookie.
Can I audit my cookies without changing code?
Yes. Open your browser DevTools, go to the Application tab, and inspect your cookies. Look for session and auth cookies and check their flags. SecurityStatus also checks this automatically during a domain scan.

Related Guides

critical Security Headers Read Guide critical CORS Configuration Read Guide medium Clickjacking Protection Read Guide

Check Your Domain Now

Run all 38 security checks including Cookie Security and get your domain's security grade in under 2 minutes.

Scan Your Domain Free