InspectWP Logo
Glossary

What are Cookie Security Flags?

February 8, 2026

Cookie security flags are attributes you can set on HTTP cookies to control how browsers handle them. The three most important flags — Secure, HttpOnly, and SameSite — protect your website and users against session hijacking, cross-site scripting (XSS), and cross-site request forgery (CSRF) attacks.

The Secure Flag

When a cookie has the Secure flag, the browser will only send it over encrypted HTTPS connections — never over plain HTTP. This prevents attackers from intercepting cookies via man-in-the-middle attacks on unencrypted connections.

Set-Cookie: session_id=abc123; Secure

Without Secure: If a user accidentally visits your site over HTTP (e.g., on public Wi-Fi), cookies are sent in plaintext and can be stolen.

The HttpOnly Flag

The HttpOnly flag prevents JavaScript from accessing the cookie via document.cookie. This is critical for session cookies because it blocks XSS attacks from stealing session tokens.

Set-Cookie: session_id=abc123; HttpOnly

Without HttpOnly: A single XSS vulnerability allows an attacker to run document.cookie and steal all non-HttpOnly cookies, leading to session hijacking.

The SameSite Flag

The SameSite attribute controls whether a cookie is sent with cross-site requests. It has three values:

  • SameSite=Strict — Cookie is never sent with cross-site requests. Most secure, but may break legitimate cross-site flows like clicking a link from an email.
  • SameSite=Lax — Cookie is sent with top-level navigation (clicking a link) but not with embedded resources or forms from other sites. This is the default in modern browsers.
  • SameSite=None — Cookie is sent with all cross-site requests. Must be combined with Secure. Used for third-party cookies (ads, embeds).
Set-Cookie: session_id=abc123; SameSite=Lax

Recommended Cookie Configuration

For session cookies and authentication cookies, always set all three flags:

Set-Cookie: session_id=abc123; Secure; HttpOnly; SameSite=Lax; Path=/

Why These Flags Matter

  • Secure prevents cookies from leaking over unencrypted connections.
  • HttpOnly blocks XSS-based cookie theft.
  • SameSite mitigates CSRF attacks.

Together, these three flags form a critical layer of defense for any website that uses cookies for authentication or tracking.

How InspectWP Helps

InspectWP analyzes all cookies set by your WordPress site and flags any that are missing the Secure, HttpOnly, or SameSite attributes. This makes it easy to identify cookies that need hardening.

Previous article

What is XML-RPC?

Next article

How to Add Twitter Card Tags in WordPress

Related Articles

Custom Login Page Styling

Enable WordPress Debug Log Safely

Replace WP-Cron with a Real Cron Job

View all articles

Check your WordPress site now

InspectWP analyzes your WordPress site for security issues, SEO problems, GDPR compliance, and performance — for free.

Analyze your site free