All fix guides

How to set Secure, HttpOnly, and SameSite cookie flags

Harden your cookies so they can't be stolen over plain HTTP, read by scripts, or replayed cross-site.

What it is

Cookie flags control when and how cookies are sent. `Secure` = HTTPS only, `HttpOnly` = not readable by JavaScript, `SameSite` = not sent on cross-site requests.

Why it matters

Cookies without these flags can be intercepted, stolen by injected scripts (XSS), or abused in cross-site request forgery (CSRF).

How to fix it

  1. 1Set every session/auth cookie with `Secure; HttpOnly; SameSite=Lax` (or `Strict` where possible).
  2. 2In most frameworks this is a cookie option — enable it in your session/auth config.
  3. 3Use `SameSite=None; Secure` only for cookies that genuinely must be sent cross-site.
  4. 4Re-scan to confirm all cookies carry the flags.

Not sure if your site is affected?

Run a free scan — or let us fix it all for you.

Privacy and cookie preferences

We use strictly necessary cookies to run the site. Analytics, marketing, and AI assistant telemetry are optional and disabled until you choose. You can update consent any time in Cookie Settings.

Some infrastructure cookies, such as load balancer routing cookies, are essential for service delivery. Details: Cookie Policy