IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. HTTP Security Headers
  3. Set-Cookie (security attributes)

HTTP security header

Set-Cookie (security attributes)

The Set-Cookie header's security attributes determine how safely session cookies are handled. HttpOnly blocks JavaScript access (limiting XSS-based theft), Secure restricts cookies to HTTPS, and SameSite mitigates CSRF by controlling cross-site sending. Correct cookie flags are foundational to session security.

Example

Set-Cookie: sid=...; HttpOnly; Secure; SameSite=Lax; Path=/

Configuration guidance

  • Always set HttpOnly and Secure on session cookies.
  • Use SameSite=Lax or Strict as the flow allows.
  • Scope with Path and a specific Domain; keep lifetimes short.

Helps mitigate

Cross-Site Scripting (XSS)Cross-Site Request Forgery (CSRF)

Related headers

Content-Security-PolicyCache-Control
MDN: Set-Cookie

Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.

Test my app
← All security headers
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub