Medium
GDPR Art. 32
ISO 27001 A.8.26
Set Secure, HttpOnly and SameSite on cookies
Session cookies must carry the Secure, HttpOnly and SameSite attributes to resist theft and cross-site attacks.
Why it matters
A cookie without HttpOnly can be stolen by cross-site scripting; without Secure it can leak over plain HTTP; without SameSite it is exposed to cross-site request forgery. Session cookies are the keys to a logged-in account.
How to fix it
Set all three attributes on authentication cookies. Use SameSite=Lax or Strict unless you genuinely need cross-site cookies.
Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax; Path=/
Is your domain affected?
Prove ownership and run a scan for a graded, verifiable report.
Related guides
- Set up SPF, DKIM and DMARC to stop email spoofing
- Add the HTTP security headers every site should send
- Fix TLS: valid certificate and modern protocols only
- Remove exposed .git, .env and backup files
Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.