Seoxpert.io
Get started
highSecurity

Cookies Missing Secure or HttpOnly Flags

Some cookies lack Secure or HttpOnly flags, exposing them to interception or JavaScript access.

By Seoxpert Editorial · Published

Why it matters

Cookies without Secure or HttpOnly flags can be exploited by attackers to hijack user sessions or steal sensitive information. This can lead to data breaches, loss of user trust, and potential SEO penalties if user safety is compromised.

Impact

Leaving this unresolved increases the risk of session hijacking, XSS, and CSRF attacks.

How it's detected

An automated crawler inspects HTTP response headers to identify cookies missing Secure or HttpOnly attributes.

Common causes

  • Cookies set without specifying Secure or HttpOnly attributes
  • Legacy code or outdated libraries that do not default to secure flags
  • Setting cookies via JavaScript without proper attributes
  • Misconfigured server-side frameworks or middleware

How to fix it

Update your server-side code to set the Secure and HttpOnly flags on all session and authentication cookies. For cookies set via JavaScript, use the 'secure' and 'httpOnly' options if supported. Also, consider adding SameSite=Lax or SameSite=Strict to further protect against CSRF attacks. Test your site to ensure cookies are only sent over HTTPS and are inaccessible to client-side scripts.

Code examples

PHP: Setting Secure and HttpOnly flags

setcookie('sessionid', $value, [
    'expires' => time() + 3600,
    'path' => '/',
    'secure' => true,
    'httponly' => true,
    'samesite' => 'Lax'
]);

Node.js (Express): Setting Secure and HttpOnly flags

res.cookie('sessionid', value, {
  httpOnly: true,
  secure: true,
  sameSite: 'lax'
});

HTTP Header: Correct Set-Cookie example

Set-Cookie: sessionid=abc123; Path=/; Secure; HttpOnly; SameSite=Lax

FAQ

What is the risk of not setting the Secure flag on cookies?

Cookies without the Secure flag can be sent over unencrypted HTTP, making them vulnerable to interception by attackers.

Why should I use the HttpOnly flag on cookies?

The HttpOnly flag prevents JavaScript from accessing the cookie, reducing the risk of theft via XSS attacks.

Can I set Secure and HttpOnly flags on cookies set via JavaScript?

You can set the Secure flag, but HttpOnly can only be set by the server, not via client-side JavaScript.

Should all cookies have these flags or just session/authentication cookies?

At minimum, all session and authentication cookies should have Secure and HttpOnly flags for security.

Found this issue on your site?

Run a scan to see if Cookies Missing Secure or HttpOnly Flags affects your pages.

Scan my website →