Auth/session cookie without __Host- prefix

Your login or session cookie — the small piece of data that keeps you signed in — is missing a modern security flag called the "__Host-" prefix (pronounced "host prefix"). This prefix locks a cookie strictly to its exact domain and prevents it from being shared across subdomains or unexpected paths. Without this prefix, a vulnerability on a subdomain of your site (such as a blog or staging environment hosted at a different subdomain) could allow an attacker to intercept or override your session cookie. The __Host- prefix is recommended by OWASP and modern browser security guidance as a best practice for any site with user logins. Ask your developer to rename your main session cookie to start with "__Host-" and ensure it's set with the Secure flag, no Domain attribute, and Path=/. This is a low-effort, high-impact hardening step for any site with user logins.