Cookie Flags

Cookie flags are attributes added to cookies that enhance their security and control their behavior. They help protect against common attacks like data interception, XSS, and CSRF.

General

Flag	Description
Secure	Instructs browser to only send the cookie via HTTPS, preventing MiTM attacks.
HttpOnly	Dissallows scripts from accessing the cookies via the DOM document.cookie object. Helps against XSS attacks.
SameSite	Instructs browsers whether cookies are sent with cross-site requests. Helps against CSRF attacks.

SameSite

Instructs browers on how to handle a cookie on cross-site requests (default value is Lax).

Value	Description
None	Sends the cookie everywhere. Some browsers will block a cookie with this settings if the Secure flag is not set.
Lax	Doesn't send the cookie on cross-site requests. It will only send it when a user manually enters the URL in the browser or clicks a link to the site.
Strict	Sends the cookie only on same-origin requests.

Attack Scenario

A malicious attacker-controlled domain can trick an authenticated user into issuing cross-origin requests to a legitimate target site; with the session cookie set to SameSite=None, the browser automatically includes it, enabling CSRF attacks even though the HttpOnly attribute prevents client-side access.

Recommendations

Configure session cookies with SameSite=Lax or Strict where possible; if SameSite=None is required, implement comprehensive server-side CSRF mitigations, including per-request tokens and strict Origin/Referer validation, while maintaining Secure and HttpOnly attributes.

Resources

OWASP CheatSheet

Session Management - OWASP Cheat Sheet Seriescheatsheetseries.owasp.org

MDN Cookies Security