Securing Cookies with HttpOnly, Secure, and SameSite
Think of cookie attributes as security guards for your session data. They prevent common attacks by telling the browser strict rules for sending the cookie, mitigating risks like cross-site scripting (XSS) and cross-site request forgery (CSRF).
Think of cookie attributes as security guards for your session data. Flags like `HttpOnly`, `Secure`, and `SameSite` are rules you set on the server to tell the browser how to handle a cookie, preventing common attacks. They are critical for session tokens: `HttpOnly` blocks JavaScript access (mitigating XSS), `Secure` requires HTTPS, and `SameSite` defends against CSRF. The footgun is setting `SameSite=None` for cross-domain use without also setting `Secure`; modern browsers will simply reject the cookie.
Read the original → developer.mozilla.org
- #security
- #cookies
- #web
- #http
- #express
Get five bites like this every day.
Tezvyn delivers a daily feed of 60-second tech bites with quizzes to lock in what you learn.