How to set Secure, HttpOnly, and SameSite cookie flags
Harden your cookies so they can't be stolen over plain HTTP, read by scripts, or replayed cross-site.
What it is
Cookie flags control when and how cookies are sent. `Secure` = HTTPS only, `HttpOnly` = not readable by JavaScript, `SameSite` = not sent on cross-site requests.
Why it matters
Cookies without these flags can be intercepted, stolen by injected scripts (XSS), or abused in cross-site request forgery (CSRF).
How to fix it
- 1Set every session/auth cookie with `Secure; HttpOnly; SameSite=Lax` (or `Strict` where possible).
- 2In most frameworks this is a cookie option — enable it in your session/auth config.
- 3Use `SameSite=None; Secure` only for cookies that genuinely must be sent cross-site.
- 4Re-scan to confirm all cookies carry the flags.
Not sure if your site is affected?
Run a free scan — or let us fix it all for you.