Cookies that store session identifiers or other sensitive data need explicit security flags — without them, a cookie can be read by client-side scripts (including an injected malicious one), sent over an unencrypted connection, or leaked to a completely different site.
Cookies without HttpOnly can be stolen by JavaScript (XSS attacks). Cookies without Secure are sent over HTTP. Cookies without SameSite are vulnerable to CSRF attacks. These three flags are basic cookie hygiene.
Session and auth cookies all carry HttpOnly, Secure, and an appropriate SameSite value.
Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.
Run this check in H.I.V.E. →