high HTTP Headers

Insecure Cookie Configuration

Session cookies are missing the Secure, HttpOnly, or SameSite attributes, exposing them to theft via XSS, MITM, or CSRF.

Severity
high
Time to Fix
30 minutes
Difficulty
easy
OWASP
A05:2021 — Security Misconfiguration

What is Insecure Cookie Configuration?

Cookies that authenticate users (session cookies, JWT tokens, CSRF tokens) must have three security attributes: Secure (only sent over HTTPS), HttpOnly (not accessible via JavaScript — prevents XSS theft), and SameSite=Lax or Strict (prevents CSRF). Without these, cookies can be stolen via XSS, intercepted over HTTP, or sent on cross-site requests.

Why It Matters to Your Business

Insecure cookies enable account takeover via XSS (steal cookies with document.cookie), session hijacking over HTTP, and CSRF attacks. For e-commerce and SaaS sites, this can lead to mass account compromise.

How to Fix It

Set all three attributes on every Set-Cookie:

Set-Cookie: session_id=abc123; Secure; HttpOnly; SameSite=Lax; Path=/; Max-Age=3600

In Laravel (config/session.php):
  'secure' => env('SESSION_SECURE_COOKIE', true),
  'http_only' => true,
  'same_site' => 'lax',

In PHP (php.ini):
  session.cookie_secure = 1
  session.cookie_httponly = 1
  session.cookie_samesite = "Lax"

In Express.js:
  app.use(session({ cookie: { secure: true, httpOnly: true, sameSite: 'lax' }}))

Technical Classification

OWASP CategoryA05:2021 — Security Misconfiguration
CWE IDCWE-1004: Sensitive Cookie Without HttpOnly
Detected Bycookies scanner(s)
Severity Levelhigh

How 2MNY Security Can Help

Check if your website has this vulnerability

Our cookies scanner checks for this issue automatically.

Scan My Website Free

Related Vulnerabilities