Tell Me When Down
How it worksWhat we checkPricing
BlogFree toolsCompareDocs
Log inGet started
All posts
Shipping securely on a budget

Secure, HttpOnly, SameSite: the cookie flags that matter

July 18, 2026·5 min read
A single cookie lit on a dark surface — a session token that's only as safe as the flags set on it.

Three small flags decide whether your session cookie is a locked token or a liability: Secure, HttpOnly, and SameSite. Miss them and the cookie that keeps a user logged in becomes the easiest thing on your site to steal or misuse — and nothing looks wrong until it's abused.

These aren't obscure. They're defaults a framework or app builder often doesn't set, and each one closes a specific, well-known attack.

Secure — never send it over plain HTTP

The Secure flag tells the browser to only ever send the cookie over HTTPS. Without it, a single request over http:// — a stray link, a downgrade — sends the session cookie in the clear, where anyone on the network can read it. With it, the cookie simply isn't sent on an insecure connection.

HttpOnly — hide it from JavaScript

HttpOnly makes the cookie invisible to client-side scripts. This is what limits the damage of a cross-site scripting bug: if an attacker manages to run JavaScript on your page, an HttpOnly session cookie is still out of their reach. Leave it off and any injected script can read the cookie and hand the session to someone else.

A session cookie without HttpOnly turns every XSS bug into a full account-takeover: the script that runs can grab the cookie and impersonate the user. The flag doesn't stop the XSS — it stops the XSS from stealing the session.

SameSite — control cross-site sending

SameSite controls whether the cookie is sent on requests coming from other sites. Set to Lax or Strict, it stops another site from silently making authenticated requests as your logged-in user — the mechanism behind CSRF. Lax is a sensible default for most session cookies; Strict is tighter but can log users out when they arrive from an external link.

Check what your cookies are flagged with

You don't have to dig through response headers by hand — a scan shows which flags each cookie carries and which are missing:

free tool · no loginCookie security checkPaste your URL and see whether your cookies set Secure, HttpOnly, and SameSite — and which are missing. No login.

Cookie flags are one line on the broader launch security checklist, and they sit alongside the security headers as the outside-view defaults almost every new site is missing.

Flag the cookies, then keep the whole site watched.

The scanner shows what's missing today. Tell Me When Down watches your site after — SSL that lapses, a page that goes down, an endpoint that starts erroring — free, no card, so you're not the last to know.

Watch my sitefree · no card required
more on shipping securely on a budget
The website launch security checklist nobody hands youYou get a deploy button, not a checklist — so most sites launch with the cert valid and nothing else checked. The four things to test from your URL in seconds, plus the code-side items that cost the most.Website down from an expired SSL certificateAn expired certificate is a full outage — every visitor hits a red warning, though the server's fine. Here's why auto-renewal still fails silently, why shrinking cert lifetimes make it likelier, and how to see it coming.My website says "Not Secure" — what it means and how to fix itThe "Not secure" label looks like a hack but usually isn't — it means your site isn't using HTTPS properly. Here's what the browser is really saying, and the common causes in plain language, fixed one by one.What are security headers? A plain-English guideSecurity headers tell the browser how to behave safely — refuse HTTP, block framing, don't guess file types. Here's what each of the ones that matter actually does, and why almost every new site ships without them.How to add security headers in Next.js (including CSP)Next.js sends no security headers by default. The static ones are a config block; the hard part is a CSP that helps without blocking your own scripts. Here's the nonce approach, the report-only trick, and the version caveat.SSL certificate expiry monitoring: why the calendar reminder failsA calendar reminder assumes your renewal works. But auto-renewal is a background job that fails silently, and cert lifetimes are dropping to 47 days by 2029. Here's why manual SSL tracking breaks, and what to monitor instead.

spot something wrong or out of date? [email protected] — we'll fix it

Tell Me When Down

Uptime and security monitoring for people who'd rather ship than babysit servers. We watch so you can sleep.

product
How it worksWhat we checkPricingDocsBlogFAQ
free toolsWebsite security scanSupabase pause checkRender sleep checkMixed content checkerSecurity headers checkCookie security checkSSL expiry check
comparevs UptimeRobotvs Better Stackvs PingdomFor indie hackers
company
StatusAbout our botSupportPrivacyTerms
© 2026 TellMeWhenDown · tellmewhendown.com