How to fix insecure cookies (missing Secure, HttpOnly, or SameSite)
Quick fix guide with step-by-step instructions. Barrion detects this finding in your scans; use this page to remediate it.
What it is
Cookies can be sent with every request. Without Secure they may be sent over HTTP; without HttpOnly they are readable by JavaScript (XSS); without SameSite they can be sent on cross-site requests (CSRF). Setting these attributes locks down session and auth cookies.
Why it matters
Insecure cookies are a common cause of session hijacking and CSRF. Secure ensures cookies only go over HTTPS. HttpOnly prevents script access. SameSite=Strict or Lax reduces CSRF risk. All three are recommended for session and authentication cookies.
How to fix it
- 1
Add Secure
Set the Secure attribute so the cookie is only sent over HTTPS. Never send session cookies over HTTP.
- 2
Add HttpOnly
Set HttpOnly so JavaScript cannot read the cookie. This limits XSS from stealing session tokens.
- 3
Set SameSite
Use SameSite=Strict or SameSite=Lax. Strict sends the cookie only on same-site requests; Lax allows top-level navigations (e.g. link click). Avoid SameSite=None unless you need cross-site cookies (and then use Secure).
- 4
Apply in your app or server
Configure your framework (e.g. Express session, Rails, Django) or Set-Cookie headers in your reverse proxy to include Secure; HttpOnly; SameSite=Lax (or Strict).
- 5
Verify
Run a cookie security check or Barrion scan to confirm your cookies have the recommended attributes.
Examples by platform
Node.js (Express session)
app.use(session({
cookie: { secure: true, httpOnly: true, sameSite: 'lax', maxAge: 86400000 }
}));Set-Cookie header example
Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax; Path=/Check your site
Run Barrion's free cookie security check to see if this finding applies to your app and get a full report.
Run free check →
