Cookie Security: Protect Session State and Sensitive Flows

Cookies often carry authentication state, user preferences, and other sensitive browser data. Weak cookie settings can undercut an otherwise secure launch.

What This Check Looks For

  • Whether important cookies use the Secure attribute.
  • Whether cookies use HttpOnly where JavaScript access is unnecessary.
  • Whether SameSite is set appropriately to reduce cross-site request risk.
  • Whether the site appears to expose session cookies with unsafe defaults.

Why It Matters

Cookie security affects login integrity, session protection, and user trust. If sensitive cookies can travel over HTTP or be accessed too broadly, the site becomes easier to abuse.

Strong cookie settings are part of baseline production hardening, especially for authenticated pages, checkout flows, and account areas.

Common Problems

Missing Secure

Cookies without Secure may be sent over plain HTTP in some situations. Sensitive cookies should be limited to HTTPS transport.

Missing HttpOnly

If a session cookie is readable by JavaScript, it becomes easier to steal during an XSS incident.

Weak or absent SameSite

Poor SameSite settings can increase exposure to cross-site request forgery and unwanted cross-origin behavior.

Inconsistent configuration across environments

Reverse proxies, CDN settings, and framework defaults sometimes differ between staging and production, which can leave cookie flags partially applied.

Best Practices

  • Mark session and auth cookies as Secure.
  • Use HttpOnly unless a cookie truly needs JavaScript access.
  • Set SameSite=Lax or SameSite=Strict where the user flow allows it.
  • Review cookie behavior after login, checkout, and embedded third-party integrations.

Example JavaScript Config

Express session setup

app.use(session({
    secret: process.env.SESSION_SECRET,
    resave: false,
    saveUninitialized: false,
    cookie: {
        secure: true,
        httpOnly: true,
        sameSite: 'lax',
    },
}));

Cookie creation example

res.cookie('preferences', 'dark-mode', {
    secure: true,
    httpOnly: true,
    sameSite: 'lax',
    maxAge: 1000 * 60 * 60 * 24 * 30,
});

Quick Check

Open the browser devtools, inspect the site's cookies, and verify the key flags on session-related cookies.

curl -I https://example.com

Then confirm Set-Cookie headers include flags such as Secure, HttpOnly, and SameSite=Lax or SameSite=Strict.

Final Takeaway

Cookie security is not just a framework default. It should be verified as part of launch readiness so authentication and user sessions are protected in real production traffic.