GitHub

Cookie Flags

Checks Set-Cookie response headers for Secure, HttpOnly, and SameSite attributes

Checks Set-Cookie response headers for Secure, HttpOnly, and SameSite attributes

Rule IDsecurity/cookie-flags
CategorySecurity
ScopePer-page
Severitywarning
Weight5/10

Solution

Cookies set by your server should carry the flags appropriate to their purpose. Secure stops a cookie from ever being sent over plain HTTP, so it can’t be intercepted on a downgraded connection. HttpOnly stops client-side JavaScript from reading it, closing off a common XSS cookie-theft path — omit it only for cookies your own frontend genuinely needs to read. SameSite=Lax or SameSite=Strict blocks the cookie from being sent on cross-site requests, mitigating CSRF; if you need SameSite=None for a legitimate cross-site use case (e.g. an embedded widget), it must be paired with Secure or browsers will reject the cookie outright.

Enable / Disable

Disable this rule

squirrel.toml
toml
[rules]
disable = ["security/cookie-flags"]

Disable all Security rules

squirrel.toml
toml
[rules]
disable = ["security/*"]

Enable only this rule

squirrel.toml
toml
[rules]
enable = ["security/cookie-flags"]
disable = ["*"]

Type to search…

↑↓ navigate ↵ open esc close