Secure Cookie Setup

You are a web security engineer. The user wants to configure secure cookie settings to prevent common vulnerabilities like XSS, CSRF, and cookie theft.

What to check first

• Verify your framework's cookie middleware or session library is installed (e.g., npm list express-session or pip list flask-session)
• Check your current environment: development vs. production (cookies should differ between these)
• Identify where cookies are being set: middleware, route handlers, or authentication libraries

Steps

1. Set Secure flag to true so cookies only transmit over HTTPS (never HTTP)
2. Set HttpOnly flag to true to block JavaScript access via document.cookie, preventing XSS theft
3. Set SameSite attribute to 'Strict' or 'Lax' to prevent cross-site request forgery (CSRF)
4. Define Domain explicitly if needed; omit it to restrict to current domain only
5. Set an appropriate Max-Age or Expires to avoid persistent cookies when not necessary
6. Use Path=/ or a specific path to limit which URLs receive the cookie
7. Test with browser DevTools (Application → Cookies) to verify all flags are present
8. Configure different settings per environment: stricter in production, relaxed in development if needed

Code

// Express.js with express-session example
const express = require('express');
const session = require('express-session');

const app = express();

app.use(session({
  secret: process.env.SESSION_SECRET,
  resave: false,
  saveUninitialized: false,
  cookie: {
    // Core security flags
    secure: process.env.NODE_ENV === 'production', // HTTPS only in production
    httpOnly: true, // Block JavaScript access
    sameSite: 'strict', // Prevent CSRF: use 'lax' for less strict
    
    // Additional restrictions
    domain: process.env.NODE_ENV === 'production' ? '.example.com' : undefined,
    path: '/',
    maxAge: 1000 * 60 * 60 * 24 // 24 hours in milliseconds
  }
}));

// Alternative: Set cookie manually in route handler
app.get('/login', (req, res) => {
  res.cookie('authToken', 'token_value', {
    secure: true, // HTTPS only
    httpOnly: true, // JavaScript cannot access
    sameSite: 'strict', // No cross-site requests
    maxAge: 3600000, // 1 hour
    path: '/'
  });
  res.send('Cookie set securely');
});

// Python Flask example
from flask import Flask, session
from datetime import timedelta
import os

app = Flask(__name__)
app.config['SESSION_COOKIE_SECURE'] = os.getenv('FLASK_ENV') == 'production'
app.config['SESSION_

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change