Cookie Secure HttpOnly SameSite Audit

Validate session cookies against modern browser defaults and CSRF-resistant patterns.

1. Enforce `Secure` on every auth or session cookie in production.

2. Set `HttpOnly` for tokens that never need JavaScript access.

3. Use explicit `SameSite=Lax` or `SameSite=Strict` where possible.

4. For cross-site flows, pair `SameSite=None` with strict CSRF tokens.

5. Scope Domain and Path narrowly to reduce cookie overexposure.

6. Re-test login, logout, and refresh flows in major browsers.

Implementation notes

Keep a cookie inventory by environment and route group. Teams usually discover weak cookie flags only after migration or SSO changes, so a periodic inventory prevents hidden regressions.

Cookie Analyzer
Security Headers Grade
All security tools

FAQ

Is SameSite=None unsafe? It is safe only with HTTPS and strong CSRF controls for cross-site flows.

Should refresh tokens be HttpOnly? Usually yes, unless architecture requires secure JS access with additional protections.

Cookie Secure HttpOnly SameSite Audit

Implementation notes

Related pages

FAQ