What are secure cookie attributes?

Secure cookie attributes (Secure, HttpOnly, SameSite) control how cookies are transmitted and accessed, preventing theft via XSS or man-in-the-middle attacks.

What does the HttpOnly flag do?

The HttpOnly flag prevents JavaScript from reading the cookie, which stops XSS attacks from stealing session tokens.

What should SameSite be set to?

Set SameSite=Lax for most cookies. Use SameSite=Strict for sensitive cookies. Avoid SameSite=None unless your cookie needs to work in cross-site requests.

← Blog

How to Secure Cookies with HttpOnly, Secure, and SameSite

security Feb 12, 2026 2 min read

SiteCurl inspects the Set-Cookie headers in your server’s responses and checks whether cookies include three security attributes: Secure, HttpOnly, and SameSite. Cookies missing any of these are flagged.

Why it matters

Cookies store sensitive information: session IDs, authentication tokens, and user preferences. Without proper security attributes, these values are vulnerable to theft.

Without Secure, the cookie is sent over unencrypted HTTP connections. An attacker on the network can intercept it.
Without HttpOnly, JavaScript on the page can read the cookie. If an attacker finds an XSS vulnerability, they can steal session cookies and impersonate the user.
Without SameSite, the cookie is sent with cross-site requests, enabling CSRF attacks where a malicious site tricks the user’s browser into making authenticated requests.

How to fix it

Every cookie that contains sensitive data should be set with all three attributes:

Set-Cookie: session_id=abc123; Secure; HttpOnly; SameSite=Lax

Secure: Only transmit over HTTPS
HttpOnly: Block JavaScript access
SameSite=Lax: Send only with same-site requests and top-level navigation (blocks CSRF while allowing normal links)

Framework-specific settings

Rails: Cookies are Secure and HttpOnly by default in production. To enforce SameSite:

Rails.application.config.action_dispatch.cookies_same_site_protection = :lax

Express.js:

app.use(session({
  cookie: { secure: true, httpOnly: true, sameSite: 'lax' }
}));

PHP:

session_set_cookie_params([
    'secure' => true,
    'httponly' => true,
    'samesite' => 'Lax'
]);

SameSite values

Strict: Cookie is never sent with cross-site requests. Most secure, but can break legitimate flows (like clicking a link from email).
Lax: Cookie is sent with same-site requests and top-level navigation. Good default for most sites.
None: Cookie is sent with all requests. Requires Secure. Only use for cross-site embed scenarios.

Third-party cookies

If third-party scripts (analytics, chat widgets) set cookies without security attributes, you cannot fix those directly. Contact the vendor or consider self-hosting the script.

How to verify the fix

Check your cookies in Chrome DevTools: Application tab, Cookies section. Each cookie shows its attributes. Look for the Secure, HttpOnly, and SameSite columns. Run a SiteCurl scan to check across all pages automatically.

Cookie security is part of a broader security strategy that includes HTTPS/HSTS and Content Security Policy.

Start a free trial to audit your cookie security.