Cookie Flags

Cookie flags are attributes added to cookies that enhance their security and control their behavior. They help protect against common attacks like data interception, XSS, and CSRF.

General

Flag	Description
Secure	Instructs browser to only send the cookie via HTTPS, preventing attacks.
HttpOnly	Dissallows scripts from accessing the cookies via the DOM document.cookie object. Helps against XSS attacks.
SameSite	Instructs browsers whether cookies are sent with cross-site requests. Helps against CSRF attacks.

SameSite

Instructs browers on how to handle a cookie on cross-site requests (default value is Lax).

Value	Description
None	Sends the cookie everywhere. Some browsers will block a cookie with this settings if the Secure flag is not set.
Lax	Doesn't send the cookie on cross-site requests. It will only send it when a user manually enters the URL in the browser or clicks a link to the site.
Strict	Sends the cookie only on same-origin requests.

Resources

OWASP CheatSheet

Session Management - OWASP Cheat Sheet Series

MDN Cookies Security

Using HTTP cookies - HTTP | MDNMDN Web Docs