Secure: tells the browser to send the cookie only over encrypted HTTPS, preventing it from being transmitted in cleartext where a network attacker could intercept it. It does not encrypt the cookie itself.
2 / 5
What does HttpOnly protect against?
HttpOnly: makes the cookie inaccessible to document.cookie, so even a successful XSS payload cannot exfiltrate the session token directly, reducing the blast radius of script injection.
3 / 5
How does SameSite=Strict differ from SameSite=Lax?
SameSite:Strict withholds the cookie on all cross-site requests (even clicking a link from another site), while Lax sends it on safe top-level navigations, balancing CSRF protection with usability.
4 / 5
What does the __Host- cookie name prefix enforce?
__Host- prefix: a browser-enforced naming convention requiring the cookie be Secure, omit Domain, and use Path=/, preventing subdomain or insecure-origin tampering with the cookie.
5 / 5
What is the difference between a session cookie and a persistent cookie?
Session vs persistent: without an Expires or Max-Age attribute, a cookie lives only for the browsing session and is deleted on close. Setting those attributes makes it persist on disk until the deadline.