Recall & Review
beginner
What is the purpose of the Secure attribute in cookies?
The Secure attribute ensures that the cookie is only sent over encrypted HTTPS connections, protecting it from being intercepted on unsecured networks.
Click to reveal answer
beginner
What does the HttpOnly attribute do for a cookie?
HttpOnly prevents client-side scripts like JavaScript from accessing the cookie, reducing the risk of cross-site scripting (XSS) attacks stealing the cookie.
Click to reveal answer
intermediate
Explain the SameSite attribute in cookies.
SameSite controls whether cookies are sent with cross-site requests. It helps prevent cross-site request forgery (CSRF) by restricting cookies to same-site or same-origin requests.
Click to reveal answer
intermediate
What are the possible values of the SameSite attribute and their effects?
SameSite can be set to 'Strict' (cookies sent only on same-site requests), 'Lax' (cookies sent on same-site and some safe cross-site requests like GET), or 'None' (cookies sent on all requests but must be Secure).
Click to reveal answer
advanced
Why is it important to combine Secure, HttpOnly, and SameSite attributes for cookies?
Using all three attributes together strengthens cookie security by ensuring cookies are sent only over secure connections, inaccessible to scripts, and restricted in cross-site usage, reducing risks of interception, theft, and CSRF attacks.
Click to reveal answer
Which cookie attribute ensures the cookie is sent only over HTTPS?
✗ Incorrect
The Secure attribute makes sure cookies are sent only over encrypted HTTPS connections.
What does the HttpOnly attribute prevent?
✗ Incorrect
HttpOnly stops client-side scripts like JavaScript from reading the cookie.
Which SameSite value allows cookies to be sent with top-level navigations but blocks most other cross-site requests?
✗ Incorrect
Lax allows cookies on top-level navigations like clicking a link but blocks other cross-site requests.
If a cookie has SameSite=None, what other attribute must it have to be accepted by browsers?
✗ Incorrect
Cookies with SameSite=None must also have Secure to be sent by modern browsers.
Which attribute helps protect against cross-site request forgery (CSRF)?
✗ Incorrect
SameSite restricts cross-site cookie sending, helping prevent CSRF attacks.
Describe the roles of Secure, HttpOnly, and SameSite cookie attributes in protecting user data.
Think about how each attribute limits cookie exposure or access.
You got /4 concepts.
Explain why setting SameSite=None requires the Secure attribute on cookies.
Consider the security risks of sending cookies cross-site without encryption.
You got /4 concepts.