← Lessons

quiz vs the machine

Gold1470

Networking

Set Cookie and SameSite

Hardening cookies with HttpOnly, Secure, and SameSite.

5 min read · core · beat Gold to climb

Issuing a Cookie

A server creates a cookie with the Set Cookie response header. Beyond name, value, and scope, several attributes protect the cookie from theft and misuse.

Protective Attributes

  • Secure sends the cookie only over HTTPS connections.
  • HttpOnly hides the cookie from page scripts, blocking theft through cross site scripting.

The SameSite Attribute

SameSite controls whether a cookie rides along on cross site requests, the heart of cross site request forgery defense.

  • Strict never sends the cookie on requests originating from another site.
  • Lax sends it on top level navigations like clicking a link, but not on embedded subrequests.
  • None sends it on all cross site requests but then Secure is required.

Choosing a Mode

Lax is a sensible default that blocks most forgery while keeping links working. Strict is best for sensitive actions, and None suits cookies needed by legitimate third party embeds over HTTPS.

Key idea

Set Cookie hardens a cookie with Secure and HttpOnly against theft, while SameSite Strict, Lax, or None governs cross site sending to defend against request forgery.

Check yourself

Answer to earn rating on the learn ladder.

1. What does the HttpOnly attribute prevent?

2. Which SameSite value requires the Secure attribute?

3. What does SameSite Lax allow that Strict does not?