Cookie Security & Session Hardening: SameSite, HttpOnly, Secure
Learn the interview-ready mental model, practical trade-offs, and production patterns for this web fundamentals topic.
Topic content
Cookie security attributes significantly reduce attack surface for session hijacking, XSS, and CSRF. HttpOnly prevents JavaScript access, Secure ensures HTTPS-only transmission, and SameSite controls cross-site behavior. These must be combined with proper session lifecycle management.
HttpOnly = sealed envelope (JS can't read inside). Secure = only delivered by trusted courier (HTTPS). SameSite = only delivered when the recipient is from the same organization (same-site context).
HttpOnly
JS cannot read
Secure
Only over HTTPS
SameSite
Controls cross-site sending
1HttpOnly
Prevents JavaScript from accessing the cookie via document.cookie. Critical for session identifiers to reduce XSS impact.
2Secure
Ensures the cookie is only sent over HTTPS connections. Essential in production to prevent interception on unsecured networks.
3SameSite Attribute
Controls whether cookies are sent in cross-site requests. Strict offers strongest CSRF protection; Lax balances usability; None requires Secure.
- ✓HttpOnly prevents JS access to sensitive cookies
- ✓Secure ensures transmission only over HTTPS
- ✓SameSite controls cross-site cookie behavior
- ✓Use __Host- and __Secure- prefixes for extra protection
- ✓Narrow cookie scope with Domain and Path
- ✓Combine with proper session lifecycle management
- ✓Cookie hardening is defense-in-depth, not a complete solution