[{"data":1,"prerenderedAt":200},["ShallowReactive",2],{"blog-vulnerabilities/insecure-cookies":3},{"id":4,"title":5,"body":6,"category":180,"date":181,"dateModified":181,"description":182,"draft":183,"extension":184,"faq":185,"featured":183,"headerVariant":186,"image":185,"keywords":185,"meta":187,"navigation":188,"ogDescription":189,"ogTitle":185,"path":190,"readTime":191,"schemaOrg":192,"schemaType":193,"seo":194,"sitemap":195,"stem":196,"tags":197,"twitterCard":198,"__hash__":199},"blog/blog/vulnerabilities/insecure-cookies.md","Insecure Cookies Explained",{"type":7,"value":8,"toc":173},"minimark",[9,16,21,88,92,107,111,120,142,161],[10,11,12],"tldr",{},[13,14,15],"p",{},"Session cookies without proper flags can be stolen via XSS (missing HttpOnly), network attacks (missing Secure), or CSRF (missing SameSite). Always set all three flags on authentication cookies: HttpOnly, Secure, and SameSite=Lax or Strict.",[17,18,20],"h2",{"id":19},"cookie-security-flags","Cookie Security Flags",[22,23,24,40],"table",{},[25,26,27],"thead",{},[28,29,30,34,37],"tr",{},[31,32,33],"th",{},"Flag",[31,35,36],{},"What It Does",[31,38,39],{},"Prevents",[41,42,43,55,66,77],"tbody",{},[28,44,45,49,52],{},[46,47,48],"td",{},"HttpOnly",[46,50,51],{},"Cookie not accessible via JavaScript",[46,53,54],{},"XSS cookie theft",[28,56,57,60,63],{},[46,58,59],{},"Secure",[46,61,62],{},"Cookie only sent over HTTPS",[46,64,65],{},"Network interception",[28,67,68,71,74],{},[46,69,70],{},"SameSite=Strict",[46,72,73],{},"Cookie only sent on same-site requests",[46,75,76],{},"CSRF attacks",[28,78,79,82,85],{},[46,80,81],{},"SameSite=Lax",[46,83,84],{},"Sent on same-site + top-level navigation",[46,86,87],{},"Most CSRF attacks",[17,89,91],{"id":90},"the-problem","The Problem",[93,94,96],"code-block",{"label":95},"Insecure cookie setting",[97,98,103],"pre",{"className":99,"code":101,"language":102},[100],"language-text","// Missing all security flags!\nres.cookie('session', token);\n\n// What this actually means:\n// - JavaScript can read it (XSS can steal it)\n// - Sent over HTTP (can be intercepted)\n// - Sent on cross-site requests (CSRF possible)\n","text",[104,105,101],"code",{"__ignoreMap":106},"",[17,108,110],{"id":109},"the-fix","The Fix",[93,112,114],{"label":113},"Secure cookie settings",[97,115,118],{"className":116,"code":117,"language":102},[100],"// Express example\nres.cookie('session', token, {\n  httpOnly: true,   // Can't be accessed by JavaScript\n  secure: true,     // Only sent over HTTPS\n  sameSite: 'lax',  // Not sent on cross-site requests\n  maxAge: 7 * 24 * 60 * 60 * 1000,  // 7 days\n  path: '/'\n});\n\n// Next.js API route\nimport { cookies } from 'next/headers';\n\ncookies().set('session', token, {\n  httpOnly: true,\n  secure: process.env.NODE_ENV === 'production',\n  sameSite: 'lax',\n  maxAge: 60 * 60 * 24 * 7\n});\n",[104,119,117],{"__ignoreMap":106},[121,122,123,130,136],"faq-section",{},[124,125,127],"faq-item",{"question":126},"Should I use SameSite Strict or Lax?",[13,128,129],{},"Use Lax for most cases. Strict breaks legitimate flows like clicking links from emails. Lax allows cookies on top-level navigation while still blocking cross-site POST requests.",[124,131,133],{"question":132},"What about cookie prefixes like __Host-?",[13,134,135],{},"Cookie prefixes add extra security. __Host- requires Secure, no Domain, and Path=/. __Secure- requires the Secure flag. These prevent subdomain attacks.",[124,137,139],{"question":138},"Do I need Secure in development?",[13,140,141],{},"Localhost is usually exempted. Use secure: process.env.NODE_ENV === 'production' to apply the flag only in production.",[143,144,145,151,156],"related-articles",{},[146,147],"related-card",{"description":148,"href":149,"title":150},"Why HttpOnly matters","/blog/vulnerabilities/xss","XSS Explained",[146,152],{"description":153,"href":154,"title":155},"Why SameSite matters","/blog/vulnerabilities/csrf","CSRF Explained",[146,157],{"description":158,"href":159,"title":160},"Complete session guide","/blog/best-practices/session","Secure Sessions",[162,163,166,170],"cta-box",{"href":164,"label":165},"/","Start Free Scan",[17,167,169],{"id":168},"check-your-cookie-flags","Check Your Cookie Flags",[13,171,172],{},"Our scanner verifies your cookies have proper security flags.",{"title":106,"searchDepth":174,"depth":174,"links":175},2,[176,177,178,179],{"id":19,"depth":174,"text":20},{"id":90,"depth":174,"text":91},{"id":109,"depth":174,"text":110},{"id":168,"depth":174,"text":169},"vulnerabilities","2026-01-19","Missing cookie security flags can expose session tokens to theft via XSS or network attacks. Learn how to set HttpOnly, Secure, and SameSite flags properly.",false,"md",null,"red",{"noindex":188},true,"Learn how to secure your cookies with HttpOnly, Secure, and SameSite flags.","/blog/vulnerabilities/insecure-cookies","5 min read","[object Object]","TechArticle",{"title":5,"description":182},{"loc":190},"blog/vulnerabilities/insecure-cookies",[],"summary_large_image","DvfUdoFEklMX1PaxxZ876gWPkiijb7PbjUVYxTixrfA",1775843926559]