SecureNow
Back to Introduction
High Risk
Wiki Entry

Cookies Missing Security Flags

Your site sets cookies without the 'Secure' and 'HttpOnly' flags. These flags add important protections to cookies.

Why This Matters

Without 'Secure', cookies can be sent over unencrypted HTTP connections where they can be intercepted. Without 'HttpOnly', JavaScript code can read the cookies, making them vulnerable to theft if an attacker injects malicious scripts (XSS attack).

How to Fix
Framework-specific solutions and general best practices

When setting cookies, always include: Secure (cookies only sent over HTTPS), HttpOnly (cookies not accessible to JavaScript), and SameSite=Strict or Lax (prevents CSRF attacks).

Quick Reference
Severity
High Risk
ID
insecure_cookies
AI Assistant Prompt

Copy this prompt to ask an AI for help fixing this vulnerability:

Please fix the "Cookies Missing Security Flags" security vulnerability in this web application.

The issue is: Your site sets cookies without the 'Secure' and 'HttpOnly' flags. These flags add important protections to cookies.

Make a plan and implement based on my project.
    SecureNow - Protect Your Websites in minutes, not days