Cookie attributes reference
| Attribute | Purpose |
|---|---|
| Name | Cookie identifier |
| Value | Cookie data |
| Domain | Which hosts receive the cookie |
| Path | URL path prefix for which cookie is sent |
| Expires | Absolute expiration date |
| Max-Age | Seconds until expiration |
| Secure | Only sent over HTTPS |
| HttpOnly | Not accessible to JavaScript |
| SameSite | Strict, Lax, or None for cross-site behavior |
Understanding Cookie Attributes
Cookies have several attributes that control their behavior. Domain specifies which hosts receive the cookie (default: current host). Path limits the cookie to URLs under that path. Expires and Max-Age set when the cookie is deleted. Secure means the cookie is only sent over HTTPS. HttpOnly prevents JavaScript access. SameSite controls cross-site request behavior. Understanding these helps you build secure, correct cookie configurations.
Security Best Practices for Cookies
For session and authentication cookies: always use Secure (HTTPS only), HttpOnly (no JS access), and SameSite=Lax or Strict. Avoid SameSite=None unless you need cross-site requests, and if you use it, Secure is required. Never store sensitive data in cookies without these flags. This tool highlights warnings when cookies lack these protections.
Set-Cookie vs document.cookie
Set-Cookie is sent by the server in HTTP responses. document.cookie is the JavaScript API for reading and writing cookies. When building a cookie, you may need both formats: Set-Cookie for server responses, document.cookie for client-side code. Note that HttpOnly cannot be set via document.cookie — only the server can set that.
Frequently Asked Questions
Related Tools
Explore More Tools
Find this tool useful? Buy us a coffee to keep DuskTools free and ad-light.