Cookie Security

Fix insecure cookies (Secure, HttpOnly, SameSite)

Name: Barrion
Availability: InStock
Author: Barrion

Quick fix guide with step-by-step instructions. Barrion detects this finding in your scans; use this page to remediate it.

What it is

Cookies can be sent with every request. Without Secure they may be sent over HTTP; without HttpOnly they are readable by JavaScript (XSS); without SameSite they can be sent on cross-site requests (CSRF). Setting these attributes locks down session and auth cookies.

Why it matters

Insecure cookies are a common cause of session hijacking and CSRF. Secure ensures cookies only go over HTTPS. HttpOnly prevents script access. SameSite=Strict or Lax reduces CSRF risk. All three are recommended for session and authentication cookies.

How it is exploited

Without HttpOnly, an XSS payload reads document.cookie and posts the session ID to attacker.example, who pastes it into their browser and is logged in as the victim. Without Secure, the same cookie rides along on any HTTP request and gets sniffed on the wire. Without SameSite, attacker.example can submit a hidden form to your /transfer endpoint and the browser attaches the session cookie automatically.

How to fix it

Add Secure. Set the Secure attribute so the cookie is only sent over HTTPS. Never send session cookies over HTTP.
Add HttpOnly. Set HttpOnly so JavaScript cannot read the cookie. This limits XSS from stealing session tokens.
Set SameSite. Use SameSite=Strict or SameSite=Lax. Strict sends the cookie only on same-site requests; Lax allows top-level navigations (e.g. link click). Avoid SameSite=None unless you need cross-site cookies (and then use Secure).
Apply in your app or server. Configure your framework (e.g. Express session, Rails, Django) or Set-Cookie headers in your reverse proxy to include Secure; HttpOnly; SameSite=Lax (or Strict).
Verify. Run a cookie security check or Barrion scan to confirm your cookies have the recommended attributes.

Examples by platform

Node.js (Express session)

app.use(session({
 cookie: { secure: true, httpOnly: true, sameSite: 'lax', maxAge: 86400000 }
}));

Set-Cookie header example

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax; Path=/

How to verify the fix

Inspect Set-Cookie attributes from a login response:

curl -sI https://example.com/login | grep -i set-cookie

References

Check your site for this finding.

Run Barrion's free cookie security check to see if this applies to your app, with a full report and remediation steps.

Run free check →All fix guides