Always set appropriate security flags on cookies, especially those used for authentication or session management. At minimum, include HttpOnly, Secure, and SameSite flags to prevent cookie theft, session hijacking, and cross-site request forgery attacks.
Always set appropriate security flags on cookies, especially those used for authentication or session management. At minimum, include:
HttpOnly - Prevents JavaScript access to the cookie, protecting against XSS attacksSecure - Ensures the cookie is only sent over HTTPS connectionsSameSite - Use Lax for cookies needed after redirects (like OAuth flows), or Strict for maximum protection when redirects aren’t neededExample of properly configured cookie in an OAuth flow:
// Attach the session cookie to the response header with security flags
let cookie = format!(
"{COOKIE_NAME}={cookie}; SameSite=Lax; Path=/; HttpOnly; Secure"
);
These settings significantly reduce the risk of cookie theft, session hijacking, and cross-site request forgery attacks.
Enter the URL of a public GitHub repository