Skip to content

What do the HttpOnly, Secure, and SameSite cookie flags do?

Short answer

HttpOnly hides the cookie from JavaScript so XSS cannot steal it via document.cookie. Secure ensures the cookie is only sent over HTTPS, blocking network interception. SameSite controls whether the cookie is sent on cross-site requests, mitigating CSRF. Together they harden session cookies against the most common theft and abuse paths.

A session cookie is a bearer token: whoever holds it is the user. So the attributes you set on it determine how hard it is for an attacker to steal, intercept, or abuse that token. Three flags do most of the work, and each maps to a distinct threat.

HttpOnly — blocks script access

HttpOnly tells the browser to not expose the cookie to JavaScript. document.cookie cannot read it. This is the key mitigation against XSS-based session theft: even if an attacker injects script, they cannot exfiltrate the session cookie. Note it does not prevent XSS itself — the injected script can still make authenticated requests as the user — but it stops the cookie from leaving the browser, which contains the damage.

Secure — HTTPS only

Secure tells the browser to send the cookie only over HTTPS. Without it, a single accidental http:// request (or an attacker forcing one) would transmit the session cookie in cleartext where a network attacker can sniff it. Combined with HSTS, this closes the network-interception path.

SameSite — cross-site sending

SameSite controls whether the cookie rides along on requests originating from other sites:

  • Strict — never sent cross-site (strongest CSRF protection, but can disrupt inbound links to authenticated pages).
  • Lax — sent on top-level navigations but not cross-site sub-requests/POSTs; a good default that blocks classic CSRF.
  • None — always sent, and requires Secure.

Belt and suspenders: name prefixes

The __Host- prefix lets the browser enforce that a cookie is Secure, path /, and not domain-scoped — a guard against subdomain/cookie-fixation tricks.

Interviewers look for the flag-to-threat mapping (HttpOnly/XSS theft, Secure/sniffing, SameSite/CSRF) and the nuance that HttpOnly limits XSS impact rather than preventing XSS.

Likely follow-ups

  • Why does HttpOnly not prevent XSS, only limit its impact?
  • What is the difference between SameSite=Lax and SameSite=Strict?
  • What does the __Host- cookie name prefix enforce?

Sources

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.