> For the complete documentation index, see [llms.txt](https://sec88.0x88.online/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sec88.0x88.online/web-appsec/protection/cookie-flags.md). # Cookie Flags ### Cookie Attributes: * **`Name`:** Identifies the cookie, can be set without a value. * **`Domain`:** Specifies the domain to which the cookie will be sent. * **`Path`:** Determines the URL path for which the cookie will be sent. * **`Secure`:** Requires the cookie to be sent over HTTPS connections. * **`Expires`:** Sets the expiration time for the cookie. * **`Max-Age`:** Specifies the duration of the cookie's validity in seconds. * **`HttpOnly`:** Restricts cookie access to HTTP requests, preventing JavaScript access. * **`SameSite`:** Controls how cookies are sent with cross-site requests. * **`SameSite=Lax`:** cookies are sent with **cross-site GET requests** that result from top-level navigation by the user, such as clicking on a link. This provides a balance between security and usability * **`SameSite=Strict`:** cookies are **not sent with cross-site requests**. This provides strong protection against CSRF attacks. #### Cookie Prefixes: Cookie prefixes play a crucial role in safeguarding cookies against various attacks, including session fixation and cookie overrides. They ensure that cookies are transmitted securely and cannot be tampered with by unauthorized parties. * **\_\_Secure- Prefix**: When a cookie name is prefixed with `__Secure-`, it indicates that the cookie should only be accessed via HTTPS connections. This helps protect sensitive information from being intercepted over unsecured connections * **\_\_Host- Prefix**: The `__Host-` prefix serves a similar purpose as `__Secure-`, ensuring that the cookie is only accessible via HTTPS. Additionally, it restricts the cookie to the domain that sets it, preventing subdomains from altering the cookie. This prefix is particularly useful for enhancing security in modern browsers --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sec88.0x88.online/web-appsec/protection/cookie-flags.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.