Always set appropriate security flags on cookies, especially those used for authentication or session management. At minimum, include:
HttpOnly - Prevents JavaScript access to the cookie, protecting against XSS attacksSecure - Ensures the cookie is only sent over HTTPS connectionsSameSite - Use Lax for cookies needed after redirects (like OAuth flows), or Strict for maximum protection when redirects aren’t neededExample of properly configured cookie in an OAuth flow:
// Attach the session cookie to the response header with security flags
let cookie = format!(
"{COOKIE_NAME}={cookie}; SameSite=Lax; Path=/; HttpOnly; Secure"
);
These settings significantly reduce the risk of cookie theft, session hijacking, and cross-site request forgery attacks.
Enter the URL of a public GitHub repository