CQwerty

Blog

HTTP Cookie Security: Flags Every Developer Should Set

← Back to blog
2026-04-17·6 min readCookiesWeb Security

Why cookie security matters

Cookies carry session tokens, authentication state, and user preferences. If an attacker can steal or manipulate a cookie, they can hijack user sessions, bypass authentication, or perform actions on behalf of the user.

Most cookie attacks exploit missing security flags. Setting the right flags takes minutes and blocks entire categories of attacks.

Essential cookie flags

Secure

The Secure flag ensures the cookie is only sent over HTTPS connections. Without it, an attacker on a shared network can intercept cookies sent over plain HTTP.

Set-Cookie: session=abc123; Secure

HttpOnly

The HttpOnly flag prevents JavaScript from accessing the cookie via document.cookie. This is the primary defense against cross-site scripting (XSS) attacks that try to steal session tokens.

Set-Cookie: session=abc123; HttpOnly

SameSite

The SameSite attribute controls when cookies are sent with cross-site requests. It is the main defense against cross-site request forgery (CSRF) attacks.

  • Strict - cookie is never sent on cross-site requests
  • Lax - cookie is sent on top-level navigations (links) but not on embedded requests (forms, images, iframes)
  • None - cookie is always sent (requires Secure flag)
    • Set-Cookie: session=abc123; SameSite=Lax

    For most session cookies, Lax provides the best balance of security and usability.

    Path

    The Path attribute limits which URL paths receive the cookie. Set it to the narrowest scope needed.

    Domain

    The Domain attribute controls which domains receive the cookie. Omitting it restricts the cookie to the exact origin. Setting it to your apex domain shares the cookie with all subdomains, which is a risk if any subdomain is compromised.

    Max-Age and Expires

    Set explicit expiration times. Session cookies (no expiry) are cleared when the browser closes, but persistent cookies live until their expiry date. Do not set unnecessarily long lifetimes.

    Common mistakes

  • Missing Secure flag - cookies sent over HTTP can be intercepted
  • Missing HttpOnly on session cookies - XSS can steal sessions
  • SameSite=None without Secure - browsers reject this combination
  • Overly broad Domain - sharing cookies with all subdomains
  • No expiration on persistent tokens - stale tokens remain valid indefinitely

    • Recommended configuration

    For a session cookie, use all flags together:

    Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax; Path=/; Max-Age=86400

    How to audit your cookies

    Use CQwerty Shield's Cookie Checker to scan any website and see which cookies are set, what flags they use, and which security improvements are needed.

    Key takeaways

  • Always set Secure, HttpOnly, and SameSite on session cookies
  • Use SameSite=Lax as the default for most cookies
  • Avoid sharing cookies across subdomains unless necessary
  • Audit your cookies regularly as new features may introduce insecure defaults

    • Check your cookie security now

    ShareTwitterLinkedInEmailRSS

    Ready to check your domain?

    Run all 18 security checks in 2 minutes. Free, no signup required.

    Check your cookies