Beta
Scan Your App
mediumSecurity & Infrastructure

Cookie Security Flags

Cookies without HttpOnly, Secure, and SameSite flags are vulnerable to cross-site scripting (XSS) theft, man-in-the-middle interception, and cross-site request forgery (CSRF). SaaSalyst checks every Set-Cookie header for these three security attributes, identifying gaps that attackers can exploit.

What SaaSalyst Checks

SaaSalyst parses all Set-Cookie response headers and checks each cookie for three security flags: HttpOnly (prevents JavaScript access), Secure (requires HTTPS transport), and SameSite (controls cross-origin sending). The check evaluates compliance across all cookies set by the page.

Why This Matters

Missing cookie security flags are a measurable security gap. HttpOnly prevents client-side scripts from reading session cookies — without it, any XSS vulnerability can steal user sessions. Secure ensures cookies are only sent over HTTPS. SameSite prevents CSRF attacks by controlling when cookies are included in cross-origin requests.

GDPR Article 32 requires 'appropriate technical and organisational measures' for security. Missing cookie flags represent a concrete, testable gap that security auditors flag during vendor reviews.

Modern browsers enforce SameSite=Lax by default, but explicitly setting all three flags demonstrates security maturity and prevents inconsistent behavior across browser versions.

How to Fix It

  1. Add HttpOnly to all session and authentication cookies to prevent JavaScript access: Set-Cookie: session=abc; HttpOnly
  2. Add Secure to ensure cookies are only transmitted over HTTPS: Set-Cookie: session=abc; Secure
  3. Add SameSite=Lax (or Strict for sensitive cookies) to prevent CSRF: Set-Cookie: session=abc; SameSite=Lax
  4. Combine all flags: Set-Cookie: session=abc; HttpOnly; Secure; SameSite=Lax
  5. Review your framework's cookie configuration — most frameworks (Express, Next.js, Django) have built-in options for setting these flags globally.

Frequently Asked Questions

How does SaaSalyst check cookie security flags?

SaaSalyst parses the Set-Cookie response headers from your page and checks each cookie for HttpOnly, Secure, and SameSite attributes. If all cookies have all three flags, the check passes. If some are missing, you get a warning with specific details about which cookies need attention.

Are all cookies required to have security flags?

SaaSalyst checks all cookies set by your page. While some non-sensitive cookies (like UI preferences) pose lower risk without HttpOnly, best practice is to set all three flags on every cookie. The Secure flag is especially important — without it, cookies can be intercepted on non-HTTPS connections.

Check Your SaaS Now — Free

SaaSalyst scans your website in 30 seconds and checks for Cookie Security Flags along with 78+ other business readiness signals.

Scan Your App

Related Checks SaaSalyst Runs