Web Fundamentals

Cookie Security & Session Hardening: SameSite, HttpOnly, Secure

Web Fundamentals Map

Rendering & Browser Architecture

Critical Rendering Path Script Loading Patterns (async/defer)Event Loop Deep Dive JavaScript Module Systems (CJS, ESM, UMD)Dynamic Module Loading (import())Import on Interaction Import on Visibility Browser Rendering Pipeline & Layout Thrashing Rendering Strategies (CSR, SSR, SSG, ISR)Streaming SSR & Progressive HTML Islands Architecture React Server Components Framework Reactivity (React, Vue, Svelte, Solid)HTTP/1.1 vs HTTP/2 vs HTTP/3 (QUIC)DNS Resolution & TTL Caching

Performance

Core Web Vitals: LCP, INP, CLS Performance Optimization Trade-offs Critical Resource Prioritization Code Splitting & Dynamic Imports Tree Shaking & Dead Code Elimination Lazy Loading Resource Hints: Preload, Prefetch & Preconnect Text Compression: Gzip & Brotli Image & Video Optimization Adaptive Loading List Virtualization Web Workers vs Main Thread Memory Leaks: Detection & Prevention Managing Third-Party Scripts How CDNs Work HTTP Caching Deep Dive Service Workers & Offline Strategy PWA Fundamentals

Security

Cross-Site Scripting (XSS)Cross-Site Request Forgery (CSRF)CORS Explained CORS Preflight, Credentials & Misconfigurations Content Security Policy (CSP)Why is HTTPS Secure? (TLS/SSL)Authorization Best Practices Cookie Security & Session Hardening

State & Data Architecture

State Management Guide (Context vs Zustand vs Redux)React Query & Server State Caching Data Fetching Patterns Caching Strategies Pagination: Offset vs Cursor-Based Real-time Communication (WebSocket, SSE, Polling)

easyWeb Fundamentals

Cookie Security & Session Hardening: SameSite, HttpOnly, Secure

Learn the interview-ready mental model, practical trade-offs, and production patterns for this web fundamentals topic.

Topic content

TL;DRHttpOnly blocks JS access • Secure restricts to HTTPS • SameSite controls cross-site sending. Combine with proper session lifecycle.

High Signal

Google

Meta

Netflix

Agoda

30-Second Answerstart every interview with this

Cookie security attributes significantly reduce attack surface for session hijacking, XSS, and CSRF. HttpOnly prevents JavaScript access, Secure ensures HTTPS-only transmission, and SameSite controls cross-site behavior. These must be combined with proper session lifecycle management.

HttpOnly = sealed envelope (JS can't read inside). Secure = only delivered by trusted courier (HTTPS). SameSite = only delivered when the recipient is from the same organization (same-site context).

Set Cookie with Attributes

HttpOnly

JS cannot read

Secure

Only over HTTPS

SameSite

Controls cross-site sending

Reduced Attack Surface

1HttpOnly

Prevents JavaScript from accessing the cookie via document.cookie. Critical for session identifiers to reduce XSS impact.

With HttpOnly → Attacker with XSS cannot steal session cookie directly

Without HttpOnly → XSS can read and exfiltrate cookie

2Secure

Ensures the cookie is only sent over HTTPS connections. Essential in production to prevent interception on unsecured networks.

3SameSite Attribute

Controls whether cookies are sent in cross-site requests. Strict offers strongest CSRF protection; Lax balances usability; None requires Secure.

4Domain, Path & Cookie Prefixes

Narrow scope with Domain and Path. Use __Host- and __Secure- prefixes for extra hardening on important cookies.

Key Takeaways

✓HttpOnly prevents JS access to sensitive cookies
✓Secure ensures transmission only over HTTPS
✓SameSite controls cross-site cookie behavior
✓Use __Host- and __Secure- prefixes for extra protection
✓Narrow cookie scope with Domain and Path
✓Combine with proper session lifecycle management
✓Cookie hardening is defense-in-depth, not a complete solution

Topic Guide

On this page