HTTP Cookie Parser

The Set-Cookie HTTP response header is used by a server to send a cookie to the user's browser. Format: Set-Cookie: name=value; Path=/; Domain=example.com; Expires=Thu, 01 Jan 2026 00:00:00 GMT; HttpOnly; Secure; SameSite=Strict. The browser stores the cookie and sends it back with subsequent requests to matching domains and paths via the Cookie: request header.

The HttpOnly flag prevents JavaScript from accessing the cookie via document.cookie. This protects against XSS (cross-site scripting) attacks that try to steal session cookies. Authenticated session cookies should always have HttpOnly set. Note: HttpOnly does not prevent the cookie from being sent with requests — it only prevents client-side script access.

The Secure flag ensures the cookie is only sent over HTTPS connections. Without Secure, the cookie is sent over plain HTTP, where it can be intercepted by network attackers (MITM attacks). All cookies containing sensitive data (session tokens, authentication) should have Secure set. Secure has no effect on localhost.

SameSite controls when cookies are sent with cross-site requests. Strict: cookie only sent for same-site requests (most secure, breaks OAuth flows). Lax: cookie sent for same-site and top-level cross-site navigations (GET only) — the default in modern browsers. None: cookie sent for all cross-site requests — requires Secure flag. SameSite=None is required for third-party cookies (analytics, embedded content).

__Secure- prefix: cookie must have Secure flag and be set from HTTPS. __Host- prefix: cookie must have Secure flag, no Domain attribute, and Path=/. The Host prefix is stricter and prevents subdomain cookie hijacking. These prefixes are enforced by the browser — a server cannot override them. Use __Host- for the most secure session cookies when no subdomain sharing is needed.