HTTP security header
Set-Cookie (security attributes)
The Set-Cookie header's security attributes determine how safely session cookies are handled. HttpOnly blocks JavaScript access (limiting XSS-based theft), Secure restricts cookies to HTTPS, and SameSite mitigates CSRF by controlling cross-site sending. Correct cookie flags are foundational to session security.
Example
Set-Cookie: sid=...; HttpOnly; Secure; SameSite=Lax; Path=/Configuration guidance
- Always set HttpOnly and Secure on session cookies.
- Use SameSite=Lax or Strict as the flow allows.
- Scope with Path and a specific Domain; keep lifetimes short.
Helps mitigate
Related headers
Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.
Test my app