Session cookies use httpOnly + Secure + SameSite

Why it matters

Each missing cookie flag removes a specific defense: without httpOnly, any XSS payload can read document.cookie and exfiltrate the session token; without secure, the cookie travels in cleartext on any accidental HTTP hop and can be captured on hostile networks; without a non-none sameSite, the cookie rides along with cross-site requests and opens the door to CSRF against state-changing endpoints. AI coding tools frequently generate cookies().set(name, value) or res.cookie(name, value) calls with no options object at all, trusting framework defaults that no longer exist in modern frameworks. One stolen session cookie means full account takeover — no password reset, no MFA prompt, just a working logged-in request.

Remediation

Set all three flags explicitly:

cookies().set('session', token, {
  httpOnly: true,
  secure: process.env.NODE_ENV === 'production',
  sameSite: 'lax',
  path: '/',
})

Deeper remediation guidance and cross-reference coverage for this check lives in the saas-authentication Pro audit — run that after applying this fix for a more exhaustive pass on the same topic.

Detection

ID: project-snapshot.auth-access.session-cookies-secure
Severity: critical
What to look for: Enumerate every cookies().set(...), cookieStore.set(...), res.cookie(...), setCookie(...) call in the codebase. For each session-related cookie (name contains session, auth, token, jwt, sid), check the options: httpOnly: true, secure: true (or conditional on production), sameSite: 'lax' or 'strict'.
Pass criteria: Every detected session cookie has all three flags set correctly. secure may be process.env.NODE_ENV === 'production' (acceptable conditional).
Fail criteria: Any session cookie missing httpOnly, missing secure (without prod conditional), or with sameSite: 'none' without justification.
Skip (N/A) when: No session/auth cookies detected (e.g., the project uses only JWT in Authorization headers, no cookie-based auth). Quote the absence of any matching .set call.
Do NOT pass when: A library default is assumed to handle cookies — only count explicit configuration. NextAuth.js / next-auth manages cookies internally with safe defaults; that COUNTS as pass for next-auth-managed cookies, but custom cookies still need explicit flags.
Report even on pass: "Found N session cookie set calls; all set httpOnly + secure + sameSite." Or "Session cookies managed by next-auth (uses safe defaults)."
Detail on fail: "Session cookie 'sid' set in middleware.ts without httpOnly flag" or "Auth cookie missing sameSite attribute in 2 places".

Remediation: Set all three flags explicitly:

cookies().set('session', token, {
  httpOnly: true,
  secure: process.env.NODE_ENV === 'production',
  sameSite: 'lax',
  path: '/',
})

Why it matters

Remediation

Set all three flags explicitly:

cookies().set('session', token, {
  httpOnly: true,
  secure: process.env.NODE_ENV === 'production',
  sameSite: 'lax',
  path: '/',
})

Deeper remediation guidance and cross-reference coverage for this check lives in the saas-authentication Pro audit — run that after applying this fix for a more exhaustive pass on the same topic.

Detection

ID: project-snapshot.auth-access.session-cookies-secure
Severity: critical
What to look for: Enumerate every cookies().set(...), cookieStore.set(...), res.cookie(...), setCookie(...) call in the codebase. For each session-related cookie (name contains session, auth, token, jwt, sid), check the options: httpOnly: true, secure: true (or conditional on production), sameSite: 'lax' or 'strict'.
Pass criteria: Every detected session cookie has all three flags set correctly. secure may be process.env.NODE_ENV === 'production' (acceptable conditional).
Fail criteria: Any session cookie missing httpOnly, missing secure (without prod conditional), or with sameSite: 'none' without justification.
Skip (N/A) when: No session/auth cookies detected (e.g., the project uses only JWT in Authorization headers, no cookie-based auth). Quote the absence of any matching .set call.
Do NOT pass when: A library default is assumed to handle cookies — only count explicit configuration. NextAuth.js / next-auth manages cookies internally with safe defaults; that COUNTS as pass for next-auth-managed cookies, but custom cookies still need explicit flags.
Report even on pass: "Found N session cookie set calls; all set httpOnly + secure + sameSite." Or "Session cookies managed by next-auth (uses safe defaults)."
Detail on fail: "Session cookie 'sid' set in middleware.ts without httpOnly flag" or "Auth cookie missing sameSite attribute in 2 places".

Remediation: Set all three flags explicitly:

cookies().set('session', token, {
  httpOnly: true,
  secure: process.env.NODE_ENV === 'production',
  sameSite: 'lax',
  path: '/',
})

Session cookies use httpOnly + Secure + SameSite

Why it matters

Severity rationale

Remediation

Detection

Taxons

History

Session cookies use httpOnly + Secure + SameSite

Why it matters

Severity rationale

Remediation

Detection

Taxons

History