Skip to main content

Cookies with security attributes


The session cookies of web applications must have security attributes (HttpOnly, Secure, SameSite) and prefixes (e.g., __Host-).


When you have web applications that handle sessions, you can use different attributes to improve the security related to the cookies that handle these sessions. The attributes HttpOnly and Secure prevent the theft of the session cookie by denying the browser visibility and access to it (even when Cross Site Scripting [XSS] attacks are used) and allow the cookie to be sent only when the request is encrypted (using HTTPS). In this manner, session theft is greatly mitigated.

Supported In

This requirement is verified in following services




free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.