Security Check n°22 / 120

Cookie security flags

Cookies can be secured with three attributes: "Secure" (sent only over HTTPS), "HttpOnly" (inaccessible via JavaScript, protects against XSS…

Analyse my site for free
← All checks
How it works

How TheSiteFuse checks "Cookie security flags"

Cookies can be secured with three attributes: "Secure" (sent only over HTTPS), "HttpOnly" (inaccessible via JavaScript, protects against XSS theft) and "SameSite" (protects against cross-site CSRF requests). These three flags are independent and cumulative.

Why it matters

Real-world impact of "Cookie security flags"

A session cookie without these flags can be stolen by a malicious script (XSS) or sent to a third-party site without the user's knowledge. This is one of the most common forms of session hijacking. These attributes cost nothing to add.

Does your site pass this check?

Run the free full audit (120 checks) and instantly discover what needs fixing.

Previous No email in plain text Next Server TLS version

Other Security checks

HTTPS active
Valid SSL certificate
HTTP → HTTPS redirect
HSTS header
Continue with Google
or