Cookies: Cookies security


Adding the Secure parameter makes sure the cookie can only be transmitted securely over HTTPS, and it will not be sent over unencrypted HTTP connections:

document.cookie = 'name=Flavio; Secure;'

Note that this does not make cookies secure in any way - always avoid adding sensitive information to cookies


One useful parameter is HttpOnly, which makes cookies inaccessible via the document.cookie API, so they are only editable by the server:

document.cookie = 'name=Flavio; Secure; HttpOnly'


SameSite lets servers require that a cookie is not sent on cross-site requests, but only on resources that have the cookie domain as the origin, which should be a great help towards reducing the risk of CSRF (Cross Site Request Forgery) attacks.

Lessons in this unit:

0: Introduction
1: Setting cookies
2: Setting a cookie expiration date
3: Setting a cookie path
4: Setting a cookie domain
5: ▶︎ Cookies security
6: Updating a cookie
7: Deleting a cookie
8: Accessing the value of a cookie
9: Checking if a cookie exists
10: Inspecting cookies