Cookies missing security flags

Websites store small files called cookies on visitors' browsers to remember preferences, sessions, and other data. Security flags on cookies — Secure, HttpOnly, and SameSite — restrict how and when those cookies can be accessed. Without these flags, cookies can be stolen if a connection is intercepted (missing Secure), read by malicious scripts if your site is ever compromised (missing HttpOnly), or exploited in cross-site attacks (missing SameSite). Together these flags form the basic hygiene baseline for protecting user sessions and logins. Ask your developer to review all cookies set by your site and ensure each has the Secure, HttpOnly, and SameSite=Lax flags applied. This is a configuration change in your server or application code and does not require changes visible to users.

Why this matters

Without these flags, cookies can be stolen if a connection is intercepted (missing Secure), read by malicious scripts if your site is ever compromised (missing HttpOnly), or exploited in cross-site attacks (missing SameSite). Together these flags form the basic hygiene baseline for protecting user sessions and logins.

How to fix it

Ask your developer to review all cookies set by your site and ensure each has the Secure, HttpOnly, and SameSite=Lax flags applied. This is a configuration change in your server or application code and does not require changes visible to users.