Medium Severity
Insecure Cookies
Cookies missing `Secure`, `HttpOnly`, or `SameSite` flags can be stolen or abused.
Business Risk
1. Missing `Secure`: Plaintext theft. 2. Missing `HttpOnly`: XSS theft. 3. Missing `SameSite`: CSRF attacks.
Technical Details
Always enforce `SameSite=Lax` (or Strict) for session cookies. Use `__Host-` prefix for maximum security.
Remediation Guide
External References
Verify Your Fix
Applied the configuration change? Run a live scan to confirm the vulnerability is patched.