Quiz Entry - updated: 2026.07.14
What are the three main cookie security attributes, and what does each do?
Secure (HTTPS-only), HttpOnly (no JavaScript access), SameSite (no cross-site sending).
| Attribute | What it does | Attack it mitigates |
|---|---|---|
Secure |
Cookie is sent only on HTTPS requests | Network sniffing — without it the cookie leaks on any HTTP request, e.g. mistyped URL on Wi-Fi |
HttpOnly |
JavaScript on the page cannot read the cookie via document.cookie |
Cookie theft via stored or reflected XSS — the malicious script is in the page but can't see the cookie |
SameSite=Lax / Strict |
Browser doesn't send the cookie on cross-site requests (third-party <img>, <form>, etc.) |
CSRF — a malicious site can't trigger authenticated requests against the user's session |
Choosing SameSite values:
| Value | Behaviour | When to use |
|---|---|---|
Strict |
Never sent cross-site, even on top-level navigation | Banking — but breaks "follow email link to bank, end up logged out" |
Lax (default since Chrome 80) |
Sent on top-level GET navigations only | Sensible default for most session cookies |
None |
Sent on all cross-site requests | Required for cross-site embeds (third-party iframes); must be combined with Secure |
Modern recommended session cookie:
Set-Cookie: sid=…; HttpOnly; Secure; SameSite=Lax; Path=/
Tip: Setting all three is one line of config in every framework — there is no excuse to ship a session cookie without them. Most pen-test findings on the topic are simple oversights, not architectural problems.