Security
SecurityMedium

Cookie Security Flags

Checks that session and auth cookies set Secure, HttpOnly, and SameSite flags.

What this check measures

We parse `Set-Cookie` response headers. Session cookies must have `Secure` (HTTPS-only), `HttpOnly` (no JS access), and `SameSite=Lax` or `Strict` (CSRF defense).

Why it matters

Missing flags expose cookies to XSS (HttpOnly), network eavesdropping (Secure), and CSRF (SameSite). All three flags should be default on auth and session cookies — it costs nothing.

search

How our audit detects it

Parse Set-Cookie headers on login / session-creating endpoints. Flag cookies missing Secure, HttpOnly, or SameSite.

Typical findings

  • error_outlineSession cookie without HttpOnly — JS XSS can read it.
  • error_outlineSession cookie without Secure — sent over HTTP on any request.
  • error_outlineSameSite missing (defaults to Lax in modern browsers but explicit is safer).

How to fix

For every cookie representing a session or auth state: set `Secure; HttpOnly; SameSite=Lax`. Use `Strict` for the most sensitive cookies. Most frameworks do this if you opt in.

Frequently asked questions

SameSite=Strict vs Lax?expand_more
Strict = never sent cross-site (breaks OAuth return). Lax = sent on top-level navigation (safe for most).

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward