Cookie Security Checklist: Lock Down Your Data

December 27, 2023 | By IANS Research

Cookies can contain sensitive data or information your web application uses to make decisions. The information should be protected both from prying eyes (confidentiality) and from unintended changes (integrity). This checklist provides some key settings web application developers should use to ensure cookies are fully locked down. They should be set in addition to any other (nonsecurity) settings you may want to use.


Cookie Security Checklist to Lock Down Data

  • Secure
    • This flag ensures cookies are only sent over HTTPS.
      • Set-Cookie: Secure


  • HTTPonly
    • This flag blocks JavaScript from accessing your cookie and stops cross-site scripting (XSS).
      • Set-Cookie: HttpOnly


  • Expires
    • This ends cookie persistence and deletes old cookies on a particular date.
    • For example, to end cookie persistence on Jan. 1, 2024:
      • Set-Cookie: Expires=Mon, 1st Jan 2024 00:00:00 GMT


  • Max-age
    • This ends cookie persistence and deletes old cookies within a set time frame.
    • For example, to set a max-age of one hour:
      • Set-Cookie: Max-Age=3600


  • Domain
    • This is used if you want to share your cookies with domains (other than your own).
      • Set-Cookie:


  • Path
    • This is used to limit cookie access to only certain parts/paths of your domain.
      • Set-Cookie: path=/YourApplicationsPath


  • Same-Site
    • This disallows cookies from other domains to be used by your app. Strict is the preferred option for security, as the Lax setting only blocks POST requests, while allowing links and XSS blocking.
      • Set-Cookie: same-site=Strict
      • Set-Cookie: same-site=Lax


Cookie Security Best Practices

Classify the data in your cookies so you know if they contain sensitive data. Add labels, if possible, and document it. The more sensitive the data in the cookie, the more care you should take and the shorter amount of time it should persist.


Find IANS SEC Cyber Disclosure Resources

The SEC has adopted new regulations that require publicly traded companies to disclose “material” cybersecurity incidents within four days, as well as make periodic disclosures around their cybersecurity risk governance.

Find actionable guidance and takeaways for CISOs, leadership and the board to verify compliance. Visit IANS SEC Cyber Disclosure Rules page to find helpful resources including videos, checklists and guidance.

Not an IANS client? Get in touch to learn more about how we can help you and your security team navigate through the upcoming regulatory changes and much more.


Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.

Access time-saving tools and helpful guides from our Faculty.

IANS + Artico Search

Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.