Insecure Cookie

Session cookies missing httpOnly, secure, or sameSite

criticalSecurityinsecure-cookie

Why this matters

Cookies without httpOnly can be stolen via XSS. Without secure, they're sent over plain HTTP. Without sameSite, they're vulnerable to CSRF. AI tools rarely set all three.

✗ Bad

res.setHeader("Set-Cookie",
  `session=${token}; Path=/`
);

✓ Good

res.setHeader("Set-Cookie",
  `session=${token}; Path=/; HttpOnly; Secure; SameSite=Lax`
);

How to fix

Always set HttpOnly, Secure, and SameSite on session cookies. Use a cookie library that sets secure defaults.

All rules