How to Secure Cookies (Secure, HttpOnly, SameSite)

Add the flags that stop cookies being stolen over HTTP, via XSS, or in CSRF attacks.

Easy High Impact 10 min

Why It Matters

A session cookie without the right flags can be sent over plain HTTP (Secure fixes this), read by JavaScript in an XSS attack (HttpOnly fixes this), or sent on cross-site requests in CSRF (SameSite fixes this). Auth cookies should always set all three.

How to Fix

Add the flags

Set Secure, HttpOnly and SameSite on session/auth cookies.

Choose the right SameSite

Use Lax for most cookies; Strict for the most sensitive; None; Secure only when a cookie must cross sites.

Code Fix

http

Before (broken)

Set-Cookie: session=abc123

After (fixed)

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax; Path=/

Platform-Specific Instructions

WordPress

WordPress sets sensible auth-cookie flags on HTTPS; review custom cookies set by plugins or theme code.

Next.js

Set secure, httpOnly, sameSite in cookies().set() options.

Check with our tool

HTTP Header Checker

Want to find all issues at once?

Run a free audit and get a prioritized fix list with auto-generated code.

Run a free audit