Cookie Security: HttpOnly, Secure, SameSite, and Best Practices

Cookies store sensitive data like session tokens, authentication state, and user preferences. Improperly secured cookies are one of the easiest attack vectors — a stolen session cookie gives an attacker full access to a user's account.

Three cookie flags are essential for security: HttpOnly, Secure, and SameSite. Each protects against a different type of attack.

The HttpOnly flag prevents client-side JavaScript from reading the cookie. This is your primary defense against XSS-based session theft.

Without HttpOnly, if an attacker finds an XSS vulnerability on your site, they can run document.cookie to steal all cookies and send them to their server. With HttpOnly, the cookie is invisible to JavaScript — it's only sent with HTTP requests.

Rule: Always set HttpOnly on session cookies and authentication tokens. Only omit it for cookies that JavaScript legitimately needs to read (like theme preferences).

Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Lax; Path=/

The Secure flag ensures the cookie is only sent over HTTPS connections. Without it, a cookie could be transmitted in plain text over HTTP, exposing it to network eavesdropping.

Rule: Set the Secure flag on every cookie in production. The only exception is during local development on localhost (which browsers treat as a secure context).

The SameSite attribute controls whether cookies are sent with cross-site requests. This is your defense against CSRF (Cross-Site Request Forgery) attacks.

• SameSite=Strict — Cookie is never sent on cross-site requests. Most secure, but breaks legitimate flows like clicking a link from email to your logged-in site.
• SameSite=Lax (recommended) — Cookie is sent on top-level navigations (clicking links) but not on cross-site sub-requests (images, iframes, AJAX). Good balance of security and usability.
• SameSite=None; Secure — Cookie is sent on all cross-site requests. Required for third-party cookies (analytics, embeds). Must include the Secure flag.

Rule: Use SameSite=Lax for session cookies. Only use None if your cookie genuinely needs to work cross-site.

Apply these practices to every cookie your site sets:

• Minimize cookie data — Store only a session ID, not user data. Keep actual data server-side.
• Set expiration wisely — Session cookies (no expiry) are cleared when the browser closes. Persistent cookies should have the shortest reasonable max-age.
• Scope with Path and Domain — Restrict cookies to the paths and domains that need them. Don't set a cookie on / if it's only needed on /api/.
• Use __Host- prefix — Cookies prefixed with __Host- must be set with Secure, Path=/, and without a Domain attribute. This prevents subdomain attacks.
• Audit third-party cookies — Review what cookies third-party scripts (analytics, chat widgets) are setting on your domain. Remove or restrict unnecessary ones.