The Cookie Security Checklist Every Developer Forgets

Cookies are the backbone of web authentication, and they're routinely misconfigured. A session cookie without the right flags can be stolen over an unencrypted connection, exfiltrated by injected JavaScript, or sent along with forged cross-site requests. The fix is a handful of attributes that take seconds to add.

The Secure flag

Without the Secure flag, a cookie will be transmitted over plain HTTP. If a user ever visits an HTTP version of your page — even accidentally — their session cookie is sent in cleartext across the network. Anyone on the same Wi-Fi network can grab it. The Secure flag ensures the cookie is only sent over HTTPS connections.

Set-Cookie: session=abc123; Secure

The HttpOnly flag

HttpOnly prevents JavaScript from accessing the cookie via document.cookie. This is your primary defence against XSS-based session theft. If an attacker manages to inject a script into your page, they can't read HttpOnly cookies. There is almost never a legitimate reason for client-side JavaScript to access a session cookie.

Set-Cookie: session=abc123; Secure; HttpOnly

The SameSite attribute

SameSite controls whether cookies are sent with cross-origin requests. Set to Strict, the cookie is never sent on cross-site requests — strong CSRF protection but can break legitimate navigation from external links. Set to Lax, cookies are sent on top-level navigations (clicking a link) but not on cross-origin POST requests or embedded resources. This is the recommended default for session cookies. Set to None, cookies are sent everywhere — only use this for third-party integrations and always combine with Secure.

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax

Cookie prefixes: __Host- and __Secure-

Cookie prefixes are an underused feature that provides extra guarantees enforced by the browser. A cookie named __Host-session must have the Secure flag, must not have a Domain attribute, and must have Path=/. This prevents a subdomain from overwriting your cookie — a real attack vector on shared hosting. __Secure- is less strict and only requires the Secure flag.

Set-Cookie: __Host-session=abc123; Secure; HttpOnly; SameSite=Lax; Path=/

The complete cookie

Putting it all together, here's what a properly secured session cookie looks like. Every attribute serves a distinct purpose, and missing any one of them leaves a gap that attackers know how to exploit.

Set-Cookie: __Host-session=abc123; Secure; HttpOnly; SameSite=Lax; Path=/; Max-Age=86400

Scan your cookies

KrakenProbe checks every cookie your site sets for missing Secure, HttpOnly, and SameSite flags, and flags cookies that should be using the __Host- prefix. Run a free scan to see what's exposed.