[{"data":1,"prerenderedAt":401},["ShallowReactive",2],{"blog-prompts/secure-cookies":3},{"id":4,"title":5,"body":6,"category":380,"date":381,"dateModified":382,"description":383,"draft":384,"extension":385,"faq":386,"featured":384,"headerVariant":387,"image":386,"keywords":386,"meta":388,"navigation":389,"ogDescription":390,"ogTitle":386,"path":391,"readTime":386,"schemaOrg":392,"schemaType":393,"seo":394,"sitemap":395,"stem":396,"tags":397,"twitterCard":399,"__hash__":400},"blog/blog/prompts/secure-cookies.md","Secure Cookie Configuration with AI Prompts",{"type":7,"value":8,"toc":370},"minimark",[9,16,21,24,94,98,101,126,136,140,143,212,216,231,285,301,317,321,324,344,358],[10,11,12],"tldr",{},[13,14,15],"p",{},"Cookie security depends on proper attributes: HttpOnly prevents XSS access, Secure ensures HTTPS-only, SameSite prevents CSRF. Most session cookies should have all three. These prompts help you audit your cookies and set them up correctly.",[17,18,20],"h2",{"id":19},"cookie-security-audit","Cookie Security Audit",[13,22,23],{},"Use this prompt to find every cookie your application sets and check its security attributes. Your AI will flag auth cookies missing HttpOnly, production cookies without Secure, and overly broad Domain scoping.",[25,26,28,31,34,56,59,74,77],"prompt-box",{"title":27},"Audit Cookie Configuration",[13,29,30],{},"Audit all cookies my application sets for security issues.",[13,32,33],{},"For each cookie, check:",[35,36,37,41,44,47,50,53],"ol",{},[38,39,40],"li",{},"HttpOnly: Is it set? (Required for auth cookies)",[38,42,43],{},"Secure: Is it set? (Required for production)",[38,45,46],{},"SameSite: What value? (Lax minimum for auth)",[38,48,49],{},"Domain: Is it properly scoped?",[38,51,52],{},"Path: Is it properly scoped?",[38,54,55],{},"Max-Age/Expires: Appropriate lifetime?",[13,57,58],{},"Find all places cookies are set:",[60,61,62,65,68,71],"ul",{},[38,63,64],{},"res.cookie() calls",[38,66,67],{},"Set-Cookie headers",[38,69,70],{},"document.cookie assignments",[38,72,73],{},"Framework session configuration",[13,75,76],{},"Flag issues:",[60,78,79,82,85,88,91],{},[38,80,81],{},"Session/auth cookies without HttpOnly",[38,83,84],{},"Any cookie without Secure in production",[38,86,87],{},"SameSite=None without Secure",[38,89,90],{},"Overly broad Domain scope",[38,92,93],{},"Very long expiration for session cookies",[17,95,97],{"id":96},"secure-session-cookie","Secure Session Cookie",[13,99,100],{},"Copy this prompt to configure your session cookie with HttpOnly, Secure, and SameSite attributes. Your AI will generate framework-specific code with proper settings for both production HTTPS and local HTTP development.",[25,102,104,107,114,117,120,123],{"title":103},"Configure Session Cookie",[13,105,106],{},"Configure my session cookie with proper security attributes.",[13,108,109,110],{},"Framework: ",[111,112,113],"span",{},"Next.js/Express/Django",[13,115,116],{},"Recommended settings:\nSet-Cookie: session=value; HttpOnly; Secure; SameSite=Lax; Path=/",[13,118,119],{},"Express example:\nres.cookie('session', sessionId, {\nhttpOnly: true,      // Not accessible via JavaScript\nsecure: true,        // HTTPS only\nsameSite: 'lax',     // CSRF protection\npath: '/',           // Available site-wide\nmaxAge: 24 * 60 * 60 * 1000, // 24 hours\n// domain: omit unless needed for subdomains\n});",[13,121,122],{},"For development (HTTP localhost):\nsecure: process.env.NODE_ENV === 'production'",[13,124,125],{},"Note: SameSite=Strict breaks OAuth flows\nSameSite=Lax is usually the right choice",[127,128,129],"warning-box",{},[13,130,131,135],{},[132,133,134],"strong",{},"HttpOnly is essential for auth cookies:"," Without it, any XSS on your site can steal session cookies. It's the difference between XSS being annoying and XSS being a full account takeover.",[17,137,139],{"id":138},"samesite-attribute-guide","SameSite Attribute Guide",[13,141,142],{},"This prompt asks your AI to help you choose the right SameSite value for each of your cookies. You'll get a clear explanation of Strict, Lax, and None with concrete examples showing when each is appropriate.",[25,144,146,149,152,155,169,172,186,189,203,206,209],{"title":145},"SameSite Configuration",[13,147,148],{},"Choose the right SameSite value for my cookies.",[13,150,151],{},"SameSite options:",[13,153,154],{},"Strict:",[60,156,157,160,163,166],{},[38,158,159],{},"Cookie only sent for same-site requests",[38,161,162],{},"Most secure but can break legitimate flows",[38,164,165],{},"User clicking link from email won't be logged in",[38,167,168],{},"Use for: high-security banking, admin panels",[13,170,171],{},"Lax (Recommended default):",[60,173,174,177,180,183],{},[38,175,176],{},"Sent for same-site + top-level navigation",[38,178,179],{},"Good balance of security and usability",[38,181,182],{},"User clicking link from email stays logged in",[38,184,185],{},"Use for: most session cookies",[13,187,188],{},"None:",[60,190,191,194,197,200],{},[38,192,193],{},"Sent with all requests (cross-site too)",[38,195,196],{},"Must be used with Secure",[38,198,199],{},"Needed for: cross-site iframes, third-party contexts",[38,201,202],{},"Use sparingly and only when required",[13,204,205],{},"Examples:\n// Standard session\nsameSite: 'lax'",[13,207,208],{},"// Admin session (extra security)\nsameSite: 'strict'",[13,210,211],{},"// Third-party widget that needs auth\nsameSite: 'none', secure: true",[17,213,215],{"id":214},"cookie-prefixes","Cookie Prefixes",[13,217,218,219,223,224,227,228,230],{},"Use this prompt to add ",[220,221,222],"code",{},"__Secure-"," and ",[220,225,226],{},"__Host-"," prefixes to your cookies for browser-enforced security. Your AI will show you how to implement the strictest ",[220,229,226],{}," prefix, which prevents subdomain cookie injection attacks.",[25,232,234,237,240,243,251,254,268,271,274],{"title":233},"Use Cookie Prefixes",[13,235,236],{},"Use cookie prefixes for additional security enforcement.",[13,238,239],{},"Cookie prefixes tell browsers to require certain attributes:",[13,241,242],{},"__Secure- prefix:",[60,244,245,248],{},[38,246,247],{},"Cookie must have Secure attribute",[38,249,250],{},"Must be set over HTTPS\nSet-Cookie: __Secure-session=value; Secure; ...",[13,252,253],{},"__Host- prefix (strictest):",[60,255,256,259,262,265],{},[38,257,258],{},"Must have Secure attribute",[38,260,261],{},"Must NOT have Domain attribute",[38,263,264],{},"Path must be /",[38,266,267],{},"Prevents subdomain attacks\nSet-Cookie: __Host-session=value; Secure; Path=/",[13,269,270],{},"Using __Host- prefix:\nres.cookie('__Host-session', value, {\nhttpOnly: true,\nsecure: true,\nsameSite: 'lax',\npath: '/'\n// No domain attribute!\n});",[13,272,273],{},"Benefits:",[60,275,276,279,282],{},[38,277,278],{},"Browser enforces security even if code has bugs",[38,280,281],{},"__Host- prevents subdomain cookie injection attacks",[38,283,284],{},"Defense in depth",[286,287,288],"tip-box",{},[13,289,290,293,294,300],{},[132,291,292],{},"Pro tip:"," Test your cookies at ",[295,296,297],"a",{"href":297,"rel":298},"https://securityheaders.com",[299],"nofollow"," or in browser DevTools (Application > Cookies). You can see all attributes and quickly spot missing security flags.",[302,303,304,311],"faq-section",{},[305,306,308],"faq-item",{"question":307},"Why doesn't my cookie work in development?",[13,309,310],{},"Secure cookies only work over HTTPS. For localhost development, either use HTTPS (mkcert), or conditionally disable Secure in dev (but always enable in production).",[305,312,314],{"question":313},"My OAuth login broke after adding SameSite. What do I do?",[13,315,316],{},"OAuth redirects are cross-site. Use SameSite=Lax (not Strict) which allows cookies on top-level navigations. If using iframes for auth, you may need SameSite=None with Secure.",[17,318,320],{"id":319},"further-reading","Further Reading",[13,322,323],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[60,325,326,332,338],{},[38,327,328],{},[295,329,331],{"href":330},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[38,333,334],{},[295,335,337],{"href":336},"/blog/how-to/hide-api-keys","How to hide API keys step-by-step",[38,339,340],{},[295,341,343],{"href":342},"/blog/best-practices/secrets","Secret management best practices",[345,346,347,353],"related-articles",{},[348,349],"related-card",{"description":350,"href":351,"title":352},"Session management","/blog/prompts/add-session-security","Add Session Security",[348,354],{"description":355,"href":356,"title":357},"Prevent cross-site attacks","/blog/prompts/add-csrf-protection","Add CSRF Protection",[359,360,363,367],"cta-box",{"href":361,"label":362},"/","Start Free Scan",[17,364,366],{"id":365},"check-your-cookie-security","Check Your Cookie Security",[13,368,369],{},"Scan your application for insecure cookie configuration.",{"title":371,"searchDepth":372,"depth":372,"links":373},"",2,[374,375,376,377,378,379],{"id":19,"depth":372,"text":20},{"id":96,"depth":372,"text":97},{"id":138,"depth":372,"text":139},{"id":214,"depth":372,"text":215},{"id":319,"depth":372,"text":320},{"id":365,"depth":372,"text":366},"prompts","2026-02-24","2026-03-06","AI prompts to configure cookies securely. Set HttpOnly, Secure, SameSite, and other attributes to protect session and authentication cookies.",false,"md",null,"cyan",{},true,"AI prompts to configure cookie security attributes properly.","/blog/prompts/secure-cookies","[object Object]","BlogPosting",{"title":5,"description":383},{"loc":391},"blog/prompts/secure-cookies",[398],"Frontend","summary_large_image","yuSp8jGxi1H8CVj6ru-Sneb2cROSgpFX6hAfwJtIKgY",1775843938377]