Home / Tools / Set secure cookie flags: HttpOnly, Secure, and SameSite
Security Headers · Scan Check Guide

Set secure cookie flags: HttpOnly, Secure, and SameSite

20 min Impact: high Effort: medium ✓ Scan-verified — no manual checkbox

Cookies that store session identifiers or other sensitive data need explicit security flags — without them, a cookie can be read by client-side scripts (including an injected malicious one), sent over an unencrypted connection, or leaked to a completely different site.

Cookies without HttpOnly can be stolen by JavaScript (XSS attacks). Cookies without Secure are sent over HTTP. Cookies without SameSite are vulnerable to CSRF attacks. These three flags are basic cookie hygiene.

How to fix it

  1. 1
    Add the HttpOnly flag
    Prevents JavaScript from reading the cookie at all — the single most effective defense against session-stealing via XSS.
  2. 2
    Add the Secure flag
    Ensures the cookie is only ever sent over HTTPS, never accidentally over a plain HTTP connection.
  3. 3
    Set SameSite appropriately
    SameSite=Lax (or Strict for the most sensitive cookies) stops the cookie being sent along with cross-site requests, closing off a class of CSRF attacks.
  4. 4
    Apply this to every cookie carrying meaningful data
    Session tokens, auth tokens, and CSRF tokens specifically — not necessarily every single cookie your site sets (e.g. pure UI preference cookies matter less).

Common mistakes

How you'll know it's done

Session and auth cookies all carry HttpOnly, Secure, and an appropriate SameSite value.

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →