security
How to fix: Cookie Secure / HttpOnly / SameSite
OWASP A07
GDPR Art. 32
RFC 6265
Why this matters
Every cookie should carry Secure (HTTPS-only transmission), HttpOnly (no JavaScript access — defends against XSS theft), and SameSite=Lax or Strict (defends against cross-site request forgery). Session cookies without these flags are an OWASP A05 misconfiguration that turns a small XSS or CSRF into a full account-takeover.
Background
Every cookie should carry Secure (HTTPS-only), HttpOnly (invisible to JavaScript, mitigating XSS theft), and SameSite=Lax or Strict (mitigating CSRF). Session cookies missing these flags are a common, cheap-to-fix finding.
References
RFC 6265 · OWASP cookie guidance · GDPR
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
Cookies are set by your application — nginx can rewrite them with proxy_cookie_path but the app is the right fix.
apache
Header edit Set-Cookie ^(.*)$ "$1; Secure; HttpOnly; SameSite=Lax"
cloudflare
Workers can rewrite Set-Cookie, but fix at the app layer instead.
wordpress
wp-config.php: define('COOKIE_SECURE', true); also see ini_set('session.cookie_httponly', true).
flask
app.config.update(SESSION_COOKIE_SECURE=True, SESSION_COOKIE_HTTPONLY=True, SESSION_COOKIE_SAMESITE='Lax')
express
app.use(session({ cookie: { secure: true, httpOnly: true, sameSite: 'lax' } }))
rails
config.session_store :cookie_store, secure: Rails.env.production?, httponly: true, same_site: :lax
Verify it's working
Open DevTools → Application → Cookies. Every row should have Secure ✓, HttpOnly ✓, SameSite Lax/Strict.
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →