Skip to main content
SecScannerSecScanner
Security ChecksFree ToolsPricingBlog
Get Started
Sign InGet Started
All Security Checks
HeadersHigh PriorityFree

Set-Cookie headers

Cookie security attributes (Secure, HttpOnly, SameSite) protect session cookies from theft and cross-site attacks.

Why It Matters

Insecure cookies can be stolen via XSS (without HttpOnly), transmitted over HTTP (without Secure), or exploited in CSRF attacks (without SameSite). Session hijacking can give attackers full access to user accounts.

How We Check

We analyze Set-Cookie headers for Secure, HttpOnly, and SameSite attributes. We also check for cookie prefixes (__Host-, __Secure-) and appropriate expiration settings.

How to Fix

Set all sensitive cookies with: Set-Cookie: session=value; Secure; HttpOnly; SameSite=Lax; Path=/. Use __Host- prefix for session cookies when possible.

Related Security Checks

Headers

Cookie Security Prefixes

TLS

HTTPS enabled

Related Tool

Cookie Checker

Run all 2 related checks with our free cookie checker

Check Your Website Now

Run a free security scan to check for Set-Cookie headers issues and 58+ other security vulnerabilities.

Scan Your Website Free

Product

  • Security Checks
  • Free Tools
  • SSL Checker
  • Vulnerability Scanner
  • Email Security
  • Pricing
  • Compliance
  • Security Reports

Popular Checks

  • CSP Check
  • HSTS Check
  • TLS Version Check
  • SSL Expiry Check
  • SPF/DKIM/DMARC Check
  • Cookie Security Check
  • JS Vulnerability Scan
  • OCSP Stapling Check

Resources

  • Blog
  • Glossary
  • Contact

Legal

  • Terms of Use
  • Privacy Policy
  • Refund Policy
  • Cookie Policy

© 2025-2026 SecScanner. All rights reserved.