Session Cookies Missing Secure or HttpOnly Flags
Session cookies lack Secure or HttpOnly flags, exposing them to interception or theft via XSS.
By Seoxpert Editorial · Published
Why it matters
Cookies used for sessions or authentication without Secure or HttpOnly flags can be intercepted over HTTP or accessed by malicious scripts. This can lead to account compromise, data breaches, and loss of user trust, which negatively impacts SEO and site reputation.
Impact
Leaving this unresolved exposes user sessions to theft via network interception or cross-site scripting attacks.
How it's detected
An automated crawler scans Set-Cookie headers for session-related names and checks for missing Secure or HttpOnly flags.
Common causes
- Cookies set without Secure or HttpOnly flags in server responses
- Legacy code or frameworks with outdated cookie defaults
- Manual cookie handling without security best practices
- Lack of awareness about cookie security attributes
How to fix it
Code examples
Insecure Set-Cookie header (problem)
Set-Cookie: session=xyz; Path=/;Secure Set-Cookie header (fix)
Set-Cookie: session=xyz; Path=/; Secure; HttpOnly; SameSite=LaxFAQ
Why do session cookies need the Secure flag?
The Secure flag ensures cookies are only sent over HTTPS, preventing interception over unencrypted connections.
What does the HttpOnly flag do for session cookies?
HttpOnly prevents JavaScript from accessing the cookie, protecting it from theft via XSS attacks.
Should I use SameSite=Strict or SameSite=Lax for session cookies?
Use SameSite=Lax for most cases; use SameSite=Strict for highly sensitive authentication flows to maximize CSRF protection.
Are analytics or CSRF token cookies affected by this issue?
No, cookies like _ga, _fbp, and XSRF-TOKEN are intentionally JS-readable and are excluded from this requirement.
Found this issue on your site?
Run a scan to see if Session Cookies Missing Secure or HttpOnly Flags affects your pages.
Scan my website →