FixVibe

// surface / spotlight

Session Cookie Attributes

HttpOnly, Secure, SameSite — three flags that turn a session cookie into something attackers can't easily steal.

Il gancio

Three flags on a Set-Cookie line decide whether an XSS in your app becomes an inconvenience or a session hijack. They cost nothing to set, every modern framework supports them, and yet auth cookies routinely ship to production missing one or more. The bug is operational, not technical: someone wrote the cookie-issuing code in 2019 before SameSite became the browser default, nobody updated it when defaults changed, and the cookie has been quietly missing protections for years. The good news is that fixing this is one config change. The bad news is that until you fix it, any XSS or CSRF in your app skips the entire 'session cookie defense' layer.

Come funziona

HttpOnly tells the browser to hide the cookie from JavaScript — `document.cookie` simply won't return it. This is the single biggest XSS-blast-radius reducer: an attacker with script execution in your origin can do many things, but stealing a HttpOnly cookie isn't one of them. Secure tells the browser to send the cookie only over HTTPS, so an attacker on hostile WiFi can't sniff it from a downgraded connection. SameSite=Lax (the modern browser default) blocks the cookie on cross-site form POSTs and most cross-site fetches, eliminating classic CSRF without requiring CSRF tokens. SameSite=Strict goes further (no cookie on any cross-site request, including top-level navigations) at the cost of breaking some legit cross-site auth flows. The `__Host-` cookie name prefix is the strongest possible binding — it requires Secure, no Domain attribute, and Path=/ — making the cookie inseparable from your origin.

Le varianti

Missing HttpOnly

JavaScript-readable session cookie. Any XSS exfiltrates it in one fetch. Most consequential single missing flag.

Missing Secure

Cookie sent over plain HTTP if any link to http:// gets clicked. Hostile-WiFi sniff vector. Combined with no HSTS, trivially exploitable.

Missing or None SameSite

Modern browsers default to Lax for cookies without an explicit SameSite attribute, but explicit `SameSite=None` (sometimes used for cross-domain SSO) re-enables CSRF if you don't have token-based defenses.

Auth state in localStorage

Some apps skip cookies entirely and store JWTs in localStorage. localStorage is JS-readable by definition; HttpOnly doesn't apply. Architecturally regressive.

Il raggio d'azione

Without HttpOnly, every XSS — DOM-based or reflected — escalates to full account takeover via cookie exfiltration. Without Secure, a hostile network connection (coffee shop WiFi, captive portal, conference WiFi) can sniff sessions whenever the user clicks any plain-http link to your domain. Without SameSite, classic CSRF returns: any other site the user visits can submit forged forms to your endpoints carrying their session.

// cosa controlla fixvibe

Cosa controlla FixVibe

FixVibe checks this class with high-confidence, non-destructive signals and only reports actionable evidence. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Difese a prova di bomba

Set HttpOnly + Secure + SameSite=Lax on every session and auth cookie. Modern frameworks make this the default — Express's `cookie` package, Next.js's `cookies()` API, Django's `SESSION_COOKIE_SECURE`/`SESSION_COOKIE_HTTPONLY`/`SESSION_COOKIE_SAMESITE`, Laravel's `config/session.php` — but verify in production. Use `__Host-` cookie name prefix (`__Host-session`) for the strongest possible binding to your origin. Don't store auth state in localStorage; it's JavaScript-readable and the entire point of HttpOnly is to defeat that. For cross-domain SSO scenarios that require SameSite=None, pair it with strong CSRF defenses (custom headers, tokens) so you're not relying on browser-level cookie isolation alone. Audit any cookie set without explicit attribute config — defaults change, and silent regressions happen.

// run it on your own app

Continua a spedire mentre FixVibe vigila per te.

FixVibe mette sotto pressione la superficie pubblica della tua app come farebbe un attaccante — senza agent, senza installazione, senza carta. Continuiamo a studiare nuovi pattern di vulnerabilità e li trasformiamo in controlli pratici e fix pronti da incollare in Cursor, Claude e Copilot.

HTTP e superficie
26
test eseguiti in questa categoria
modules
4
controlli dedicati a http e superficie
ogni scansione
487+
test su tutte le categorie
  • Gratis — senza carta di credito, senza installazione, senza ping su Slack
  • Incolla un URL — pensiamo noi a crawl, sonde e report
  • Risultati classificati in base alla gravità, deduplicati solo per segnalare
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Esegui una scansione gratuita

// latest checks · practical fixes · ship with confidence

Session Cookie Attributes — Vulnerabilità in primo piano | FixVibe · FixVibe