Cookie Security: Secure, HttpOnly & SameSite Flags
Cookie security is about making sure the cookies a site issues — especially the ones that hold a login session — cannot be stolen, tampered with, or replayed by an attacker. A session cookie is effectively a temporary password, so if it leaks, an attacker can impersonate the user without ever knowing their credentials. Three cookie attributes do most of the protecting: Secure, HttpOnly, and SameSite.
Why cookies are a target
Cookies are set by the server with the Set-Cookie response header and sent back by the browser on every subsequent request. Because a session cookie authenticates the user, it is a prime target: steal it over an insecure connection, read it with injected JavaScript, or trick the browser into sending it on a forged cross-site request, and you have hijacked the session. The three flags below each close one of those doors.
The three cookie security flags
| Flag | What it does | Threat it addresses |
|---|---|---|
| Secure | Cookie is only sent over HTTPS. | Interception over plaintext HTTP. |
| HttpOnly | Cookie is hidden from JavaScript. | Theft via XSS. |
| SameSite | Controls whether the cookie is sent on cross-site requests. | CSRF. |
A well-secured session cookie sets all three. A typical hardened header looks like this:
Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax; Path=/
Beyond the flags: scope and lifetime
- Keep sessions short. A shorter expiry limits how long a stolen cookie stays useful. Prefer session cookies (no
Max-Age/Expires) for logins where possible. - Scope tightly. Set a specific
Pathand avoid a broadDomainso the cookie is not sent where it is not needed. - Use the
__Host-prefix. A cookie named with the__Host-prefix must be Secure, have no Domain, and usePath=/, which the browser enforces — a strong lock for session cookies.
How to check your cookies
To see the Set-Cookie headers a site sends and whether the security flags are present, run it through the free HTTP headers checker, or review it with the rest of a site's protections in the security headers guide.
Related guides
Read the dedicated guides on each flag — Secure, HttpOnly, and SameSite — and the attacks they defend against: XSS and CSRF. Cookie flags sit alongside HTTP security headers in a defence-in-depth setup.
Frequently asked questions
What are the most important cookie security flags?
Secure (HTTPS-only), HttpOnly (hidden from JavaScript), and SameSite (cross-site control). Setting all three on session cookies is the baseline for cookie security.
Which flags should a session cookie have?
All three: Secure; HttpOnly; SameSite=Lax (or Strict), ideally with the __Host- name prefix and a short lifetime.
Do cookie flags stop XSS and CSRF entirely?
They limit the damage — HttpOnly stops cookie theft via XSS, SameSite blunts CSRF — but they are mitigations, not a substitute for fixing the underlying XSS and CSRF issues.