All guides
Medium GDPR Art. 32 ISO 27001 A.8.26

Set Secure, HttpOnly and SameSite on cookies

Session cookies must carry the Secure, HttpOnly and SameSite attributes to resist theft and cross-site attacks.

Why it matters

A cookie without HttpOnly can be stolen by cross-site scripting; without Secure it can leak over plain HTTP; without SameSite it is exposed to cross-site request forgery. Session cookies are the keys to a logged-in account.

How to fix it

Set all three attributes on authentication cookies. Use SameSite=Lax or Strict unless you genuinely need cross-site cookies.

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax; Path=/

Is your domain affected?

Prove ownership and run a scan for a graded, verifiable report.

Related guides

Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.