Cookie Security: Secure, HttpOnly & SameSite Flags

Jul 16, 2026
Updated Jul 16, 2026 Cookie Security cookie security secure cookie flags session cookie security set-cookie security

Cookie security is about making sure the cookies a site issues — especially the ones that hold a login session — cannot be stolen, tampered with, or replayed by an attacker. A session cookie is effectively a temporary password, so if it leaks, an attacker can impersonate the user without ever knowing their credentials. Three cookie attributes do most of the protecting: Secure, HttpOnly, and SameSite.

Why cookies are a target

Cookies are set by the server with the Set-Cookie response header and sent back by the browser on every subsequent request. Because a session cookie authenticates the user, it is a prime target: steal it over an insecure connection, read it with injected JavaScript, or trick the browser into sending it on a forged cross-site request, and you have hijacked the session. The three flags below each close one of those doors.

The three cookie security flags

FlagWhat it doesThreat it addresses
SecureCookie is only sent over HTTPS.Interception over plaintext HTTP.
HttpOnlyCookie is hidden from JavaScript.Theft via XSS.
SameSiteControls whether the cookie is sent on cross-site requests.CSRF.

A well-secured session cookie sets all three. A typical hardened header looks like this:

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax; Path=/

Beyond the flags: scope and lifetime

  • Keep sessions short. A shorter expiry limits how long a stolen cookie stays useful. Prefer session cookies (no Max-Age/Expires) for logins where possible.
  • Scope tightly. Set a specific Path and avoid a broad Domain so the cookie is not sent where it is not needed.
  • Use the __Host- prefix. A cookie named with the __Host- prefix must be Secure, have no Domain, and use Path=/, which the browser enforces — a strong lock for session cookies.

How to check your cookies

To see the Set-Cookie headers a site sends and whether the security flags are present, run it through the free HTTP headers checker, or review it with the rest of a site's protections in the security headers guide.

Related guides

Read the dedicated guides on each flag — Secure, HttpOnly, and SameSite — and the attacks they defend against: XSS and CSRF. Cookie flags sit alongside HTTP security headers in a defence-in-depth setup.

Frequently asked questions

What are the most important cookie security flags?

Secure (HTTPS-only), HttpOnly (hidden from JavaScript), and SameSite (cross-site control). Setting all three on session cookies is the baseline for cookie security.

Which flags should a session cookie have?

All three: Secure; HttpOnly; SameSite=Lax (or Strict), ideally with the __Host- name prefix and a short lifetime.

Do cookie flags stop XSS and CSRF entirely?

They limit the damage — HttpOnly stops cookie theft via XSS, SameSite blunts CSRF — but they are mitigations, not a substitute for fixing the underlying XSS and CSRF issues.

Scan for these vulnerabilities

Secably automatically detects the issues discussed in this article.

Start Free Scan