Loading...
WebShield Audit
Cookie Security Checker
Audit every Set-Cookie on the page - the flags that matter, in one scan.
Hands off to the full WebShield scanner, which covers this check alongside every other header, DNS and email auth probe.
Every cookie your origin sets is an object in the browser's security model. Without the Secure flag it leaks over HTTP. Without HttpOnly it leaks to injected JavaScript. Without SameSite it rides along on cross-site requests and enables CSRF. WebShield enumerates every Set-Cookie header on your response chain and grades each one on all three flags, plus the `__Host-` and `__Secure-` cookie-name prefixes.
What this tool checks
- Secure flag on every cookie served over HTTPS
- HttpOnly flag on session cookies
- SameSite attribute (Strict / Lax / None)
- SameSite=None without Secure (browser-rejected)
- __Host- prefix requirements (Secure, Path=/, no Domain)
- __Secure- prefix requirements (Secure)
- Cookies set on redirect chains (often missed)
- Overly broad Domain= attribute widening scope
Why it matters
Session hijacking is almost never a cryptographic break any more - it is a cookie mistake. A single session cookie without HttpOnly makes the difference between a reflected XSS being noisy and being an account takeover. A missing SameSite makes the difference between a CSRF being impossible and trivial.
How WebShield tests this
WebShield follows the full redirect chain and collects every Set-Cookie header on every response. Each cookie is parsed into name, value, Domain, Path, Max-Age / Expires, Secure, HttpOnly and SameSite attributes. Prefix rules (__Host-, __Secure-) are enforced per RFC 6265bis.
Paste-ready fixes
Express (Node.js)
app.use(session({
name: '__Host-session',
secret: process.env.SESSION_SECRET,
cookie: {
httpOnly: true,
secure: true,
sameSite: 'lax',
path: '/',
},
}));Django
# settings.py
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SAMESITE = 'Lax'
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_HTTPONLY = True
CSRF_COOKIE_SAMESITE = 'Lax'Rails
# config/initializers/session_store.rb
Rails.application.config.session_store :cookie_store,
key: '__Host-session',
secure: Rails.env.production?,
httponly: true,
same_site: :laxPHP
session_set_cookie_params([
'lifetime' => 0,
'path' => '/',
'domain' => '',
'secure' => true,
'httponly' => true,
'samesite' => 'Lax',
]);
session_name('__Host-session');
session_start();Frequently asked
What is the difference between SameSite=Lax and Strict?
Lax allows the cookie on top-level navigations from another site (clicking a link). Strict blocks it on every cross-site request, including inbound links. For session cookies on sites with inbound links from email or search, Lax is the pragmatic default; Strict is correct for cookies that must never leave the origin (e.g. dedicated CSRF tokens).
What does __Host- actually guarantee?
A cookie named __Host-* must be Secure, must have Path=/, and must have no Domain attribute - meaning it is pinned to the exact origin that set it. Subdomain takeovers cannot steal it, and a compromised subdomain cannot overwrite it.
Do I need Secure on localhost?
Browsers treat http://localhost as a secure context for development, so Secure cookies will still work there. Always set Secure in staging and production; frameworks that auto-toggle based on environment are fine for local development only.
Why does my cross-site SameSite=None cookie stop working?
Modern browsers reject SameSite=None cookies unless Secure is also set. If the cookie is on HTTP, or the Secure attribute is missing, it is silently dropped. Always pair SameSite=None with Secure.
Related
Knowledge base
Insecure Cookies
Medium severity · Cookies
Knowledge base
Missing HTTP Strict Transport Security (HSTS)
High severity · Transport
Knowledge base
Server Information Leakage
Low severity · Misc
Deep guide
HSTS: A Complete, Rollback-Safe Setup Guide
The max-age ramp, subdomain audit and preload submission - in the order they won't burn you.
Deep guide
CSP Safe Rollout: Report-Only to Enforce in Six Stages
Deploy a Content-Security-Policy that actually stops XSS - without shipping a broken site.
Tool
CSP Checker
Validate your CSP in one scan - catches the mistakes linters miss.
Tool
HSTS Preload Checker
Test HSTS before you preload - because you only get to do it wrong once.
Tool
security.txt Checker
Make it obvious how to report vulnerabilities - the RFC 9116 way.