What Are the Secure and HttpOnly Cookie Attributes?
Learn how Secure and HttpOnly cookie attributes protect session cookies from network sniffing and XSS-based token theft.
Expected Interview Answer
The Secure attribute tells the browser to send a cookie only over HTTPS connections, and the HttpOnly attribute tells the browser to hide the cookie from JavaScript entirely, so client-side scripts can never read or exfiltrate it.
Without Secure, a cookie set on an HTTPS page could still be transmitted over a plain HTTP request to the same host, exposing it to network eavesdroppers on shared Wi-Fi or a compromised proxy. Marking a cookie Secure means the browser refuses to attach it to any request that is not HTTPS, closing that transport-layer leak. HttpOnly is a separate, complementary defense against cross-site scripting: even if an attacker manages to inject a script into the page, document.cookie simply will not include HttpOnly cookies, so a stolen session token via XSS becomes much harder. Together with the Path and Domain attributes that scope exactly which requests get the cookie, and SameSite which restricts cross-site sending, these flags form the baseline hardening every session cookie should carry in production.
- Secure blocks the cookie from ever traveling over unencrypted HTTP
- HttpOnly hides the cookie value from client-side JavaScript entirely
- Together they mitigate network sniffing and XSS-based token theft
- Path/Domain scoping limits which requests even receive the cookie
AI Mentor Explanation
Secure is like a groundsman refusing to move the trophy unless it travels in the armored team van, never on an open-bed cart, so it is never exposed mid-transit. HttpOnly is like keeping the trophy locked in a case that spectators in the stands can look at but never physically touch or carry off. Even if someone sneaks into the stands with bad intentions, they still cannot lift the trophy out of its case. Both rules exist for different threats, but together they keep the prize safe end to end.
Step-by-Step Explanation
Step 1
Server sets the cookie
The Set-Cookie header includes Secure, HttpOnly, and other attributes like SameSite and Path.
Step 2
Browser stores it flagged
The browser records the cookie along with the restrictions those flags impose.
Step 3
Transport check on send
Before attaching the cookie to any request, the browser verifies the connection is HTTPS if Secure is set.
Step 4
Script access check
document.cookie in any page script simply omits any cookie marked HttpOnly.
What Interviewer Expects
- Clear distinction between Secure (transport) and HttpOnly (script access)
- Understanding that these mitigate different threats: sniffing vs XSS token theft
- Awareness that neither attribute alone is a complete session-security solution
- Mention of complementary attributes like SameSite and Path/Domain scoping
Common Mistakes
- Believing HttpOnly prevents XSS itself rather than just cookie exfiltration via XSS
- Forgetting Secure cookies still get sent to the same host over HTTP on non-cookie-aware misconfigurations
- Treating Secure and HttpOnly as interchangeable rather than complementary
- Omitting these flags on session cookies while still relying on JS-readable tokens
Best Answer (HR Friendly)
“Secure means the cookie only ever travels over an encrypted HTTPS connection, so nobody snooping on the network can grab it in plain text. HttpOnly means client-side JavaScript on the page can’t read the cookie at all, so even if an attacker sneaks a malicious script onto the site, they can’t steal it that way. Using both is a basic best practice for anything like a session or login cookie.”
Code Example
app.post('/login', async (req, res) => {
const sessionId = await createSession(req.body)
res.cookie('sessionId', sessionId, {
httpOnly: true,
secure: true,
sameSite: 'lax',
path: '/',
maxAge: 1000 * 60 * 60 * 8,
})
res.json({ ok: true })
})Follow-up Questions
- How does the SameSite attribute interact with Secure and HttpOnly?
- Why can HttpOnly cookies still be vulnerable to CSRF?
- What happens if Secure is set but the site is served over HTTP by mistake?
- How would you migrate a JS-readable auth token to an HttpOnly cookie?
MCQ Practice
1. What does the HttpOnly cookie attribute prevent?
HttpOnly hides the cookie from document.cookie and other script-level access.
2. What does the Secure attribute enforce?
Secure restricts the browser from attaching the cookie to any non-HTTPS request.
3. Which threat does HttpOnly primarily mitigate?
By hiding the cookie from scripts, an XSS payload cannot read and exfiltrate it.
Flash Cards
What does Secure do? — Ensures the cookie is only ever sent over HTTPS connections.
What does HttpOnly do? — Hides the cookie from client-side JavaScript entirely.
Threat Secure mitigates? — Network eavesdropping over unencrypted HTTP.
Threat HttpOnly mitigates? — Cookie exfiltration via cross-site scripting (XSS).