SessionCookieSecureFlags [rule] v0.1.0

Every cookie that carries a session identifier or auth token must be issued with Secure, HttpOnly, and SameSite=Lax (or Strict). Where the session id is short, prefix the cookie name with __Host- to bind it to the origin and forbid subdomain overwrites.

Checks

• Secure: cookie sent only over HTTPS — never on plain HTTP.
• HttpOnly: cookie not accessible from JavaScript — document.cookie cannot read or write it.
• SameSite=Lax minimum; use Strict where cross-site GET landing is unnecessary.
• __Host- prefix on the cookie name where supported — locks Path=/, no Domain attribute, requires Secure.
• Path attribute scoped to where the cookie is needed (default / is acceptable; never broader than the app).
• Cookie expiry: short idle timeout (15–30 min for sensitive apps) plus an absolute lifetime (e.g. 8 hours).

Label

Session cookies must set Secure, HttpOnly, and SameSite

SessionCookieSecureFlags [rule] v0.1.0

Every cookie that carries a session identifier or auth token must be issued with Secure, HttpOnly, and SameSite=Lax (or Strict). Where the session id is short, prefix the cookie name with __Host- to bind it to the origin and forbid subdomain overwrites.

Checks

• Secure: cookie sent only over HTTPS — never on plain HTTP.
• HttpOnly: cookie not accessible from JavaScript — document.cookie cannot read or write it.
• SameSite=Lax minimum; use Strict where cross-site GET landing is unnecessary.
• __Host- prefix on the cookie name where supported — locks Path=/, no Domain attribute, requires Secure.
• Path attribute scoped to where the cookie is needed (default / is acceptable; never broader than the app).
• Cookie expiry: short idle timeout (15–30 min for sensitive apps) plus an absolute lifetime (e.g. 8 hours).

Label

Session cookies must set Secure, HttpOnly, and SameSite

Label

Session cookies must set Secure, HttpOnly, and SameSite