HomeFix guides → Cookie Secure / HttpOnly / SameSite

security

How to fix: Cookie Secure / HttpOnly / SameSite

OWASP A07 GDPR Art. 32 RFC 6265

Why this matters

Every cookie should carry Secure (HTTPS-only transmission), HttpOnly (no JavaScript access — defends against XSS theft), and SameSite=Lax or Strict (defends against cross-site request forgery). Session cookies without these flags are an OWASP A05 misconfiguration that turns a small XSS or CSRF into a full account-takeover.

Background

Every cookie should carry Secure (HTTPS-only), HttpOnly (invisible to JavaScript, mitigating XSS theft), and SameSite=Lax or Strict (mitigating CSRF). Session cookies missing these flags are a common, cheap-to-fix finding.

References

RFC 6265 · OWASP cookie guidance · GDPR

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
Cookies are set by your application — nginx can rewrite them with proxy_cookie_path but the app is the right fix.
apache
Header edit Set-Cookie ^(.*)$ "$1; Secure; HttpOnly; SameSite=Lax"
cloudflare
Workers can rewrite Set-Cookie, but fix at the app layer instead.
wordpress
wp-config.php: define('COOKIE_SECURE', true); also see ini_set('session.cookie_httponly', true).
flask
app.config.update(SESSION_COOKIE_SECURE=True, SESSION_COOKIE_HTTPONLY=True, SESSION_COOKIE_SAMESITE='Lax')
express
app.use(session({ cookie: { secure: true, httpOnly: true, sameSite: 'lax' } }))
rails
config.session_store :cookie_store, secure: Rails.env.production?, httponly: true, same_site: :lax

Verify it's working

Open DevTools → Application → Cookies. Every row should have Secure ✓, HttpOnly ✓, SameSite Lax/Strict.

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →