Insecure Cookie Configuration

Insecure cookies lack proper security flags, making them vulnerable to theft via XSS, interception over HTTP, or cross-site request forgery.

Scan for This Vulnerability

What is Insecure Cookie Configuration?

Cookies store sensitive session data. Without proper flags, they can be stolen through JavaScript (if HttpOnly is missing), intercepted over HTTP (if Secure is missing), or exploited in CSRF attacks (if SameSite is missing). These flags are your last line of defense for session security.

How It Happens

Default cookie settings not hardened
Framework doesn't set secure flags by default
HttpOnly removed for JavaScript access
Testing with Secure=false and not changing for production

Impact

Session hijacking through XSS attacks

Cookie interception on non-HTTPS connections

Cross-site request forgery (CSRF) attacks

Account takeover through stolen sessions

How to Detect

Check cookies in browser DevTools > Application > Cookies
Look for missing HttpOnly, Secure, SameSite flags
Run VAS to analyze cookie security

How to Fix

Set HttpOnly flag

Prevents JavaScript from accessing the cookie, protecting against XSS.

// Cookie should have:
Set-Cookie: session=abc123; HttpOnly

Set Secure flag

Cookie only sent over HTTPS connections.

Set-Cookie: session=abc123; Secure

Set SameSite attribute

Protects against CSRF attacks.

Set-Cookie: session=abc123; SameSite=Lax
// or SameSite=Strict for maximum protection

Complete secure cookie example

All security flags combined.

Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Lax; Path=/

Commonly Affected Platforms

Lovable Security Bolt Security Replit Security Supabase Security Firebase Security

Is Your App Vulnerable?

VAS automatically scans for insecure cookie configuration and provides detailed remediation guidance.

Run Security Scan

Related Vulnerabilities

Weak Authentication Session Hijacking Csrf