Secure Cookies

Cookies without the Secure attribute can be sent over HTTP instead of HTTPS.

  • Risk: Vulnerable to man-in-the-middle (MITM) attacks.

SameSite Cookies

The SameSite attribute controls whether cookies are sent with cross-site requests. Possible values:

  • None:
    • Cookies are included in cross-site requests.
    • Must be sent over HTTPS for security.
  • Lax:
    • Cookies are included in GET requests for top-level navigation.
    • Example: Links or form submissions that change the browser's address bar.
  • Strict:
    • Cookies are not sent with cross-site requests, enhancing privacy.
Cvss