Skip to main content
ZZeriFlowv2.0

Security fix guide

How to Fix Insecure Cookies

An insecure cookie is missing one or more protections such as Secure, HttpOnly, or SameSite.

Run Full Website Security Scan

What the issue means

An insecure cookie is missing one or more protections such as Secure, HttpOnly, or SameSite.

Why it matters

Cookie flags reduce the chance of session leakage, script access, and cross-site request abuse.

How to check it

Inspect Set-Cookie headers in browser devtools or with a website security scan.

How to fix it

Set Secure, HttpOnly, and SameSite on sensitive cookies, especially authentication and session cookies.

Configuration examples

Nginx
Use application code for most cookie flags; proxy_cookie_flags can help when Nginx is acting as a reverse proxy.
Apache
Use application code for most cookie flags; Header edit Set-Cookie may help for legacy apps.
Vercel / Next.js
cookies().set("session", value, { secure: true, httpOnly: true, sameSite: "lax" });
Cloudflare
Prefer application-level cookie flags; use edge rules only when you understand downstream effects.

Related fix guides

Security Headers CheckerWebsite Vulnerability ScannerSecurityHeaders ComparisonMissing HttpOnly Cookie FlagMissing Secure Cookie Flag