Bird
Raised Fist0
Cybersecurityknowledge~5 mins

Secure cookie attributes in Cybersecurity - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualPracticeChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the purpose of the Secure attribute in cookies?
The Secure attribute ensures that the cookie is only sent over encrypted HTTPS connections, protecting it from being intercepted on unsecured networks.
Click to reveal answer
beginner
What does the HttpOnly attribute do for a cookie?
HttpOnly prevents client-side scripts like JavaScript from accessing the cookie, reducing the risk of cross-site scripting (XSS) attacks stealing the cookie.
Click to reveal answer
intermediate
Explain the SameSite attribute in cookies.
SameSite controls whether cookies are sent with cross-site requests. It helps prevent cross-site request forgery (CSRF) by restricting cookies to same-site or same-origin requests.
Click to reveal answer
intermediate
What are the possible values of the SameSite attribute and their effects?
SameSite can be set to 'Strict' (cookies sent only on same-site requests), 'Lax' (cookies sent on same-site and some safe cross-site requests like GET), or 'None' (cookies sent on all requests but must be Secure).
Click to reveal answer
advanced
Why is it important to combine Secure, HttpOnly, and SameSite attributes for cookies?
Using all three attributes together strengthens cookie security by ensuring cookies are sent only over secure connections, inaccessible to scripts, and restricted in cross-site usage, reducing risks of interception, theft, and CSRF attacks.
Click to reveal answer
Which cookie attribute ensures the cookie is sent only over HTTPS?
ASecure
BHttpOnly
CSameSite
DDomain
What does the HttpOnly attribute prevent?
ACookies being sent over HTTP
BCookies expiring too soon
CClient-side scripts from accessing the cookie
DCookies being sent cross-site
Which SameSite value allows cookies to be sent with top-level navigations but blocks most other cross-site requests?
AStrict
BLax
CNone
DSecure
If a cookie has SameSite=None, what other attribute must it have to be accepted by browsers?
ASecure
BDomain
CHttpOnly
DPath
Which attribute helps protect against cross-site request forgery (CSRF)?
AExpires
BHttpOnly
CSecure
DSameSite
Describe the roles of Secure, HttpOnly, and SameSite cookie attributes in protecting user data.
Think about how each attribute limits cookie exposure or access.
You got /4 concepts.
    Explain why setting SameSite=None requires the Secure attribute on cookies.
    Consider the security risks of sending cookies cross-site without encryption.
    You got /4 concepts.

      Practice

      (1/5)
      1. Which cookie attribute ensures that a cookie is only sent over secure HTTPS connections?
      easy
      A. SameSite
      B. HttpOnly
      C. Secure
      D. Domain

      Solution

      1. Step 1: Understand the Secure attribute purpose

        The Secure attribute restricts cookie transmission to HTTPS only, preventing sending over insecure HTTP.

      2. Step 2: Compare with other attributes

        HttpOnly prevents JavaScript access, SameSite controls cross-site sending, Domain sets cookie scope. Only Secure enforces HTTPS.

      3. Final Answer:

        Secure -> Option C

      4. Quick Check:

        Secure = HTTPS only [OK]
      Hint: Secure means HTTPS only, no insecure sending [OK]
      Common Mistakes:
      • Confusing HttpOnly with Secure
      • Thinking SameSite controls HTTPS
      • Assuming Domain affects security
      2. Which of the following is the correct way to set a cookie with the HttpOnly attribute in an HTTP header?
      easy
      A. Set-Cookie: sessionId=abc123; httpOnly
      B. Set-Cookie: sessionId=abc123; HttpOnly
      C. Set-Cookie: sessionId=abc123; HTTPONLY
      D. Set-Cookie: sessionId=abc123; Http-only

      Solution

      1. Step 1: Check correct attribute spelling and casing

        HttpOnly must be spelled as 'HttpOnly' without spaces or hyphens.

      2. Step 2: Validate options

        Set-Cookie: sessionId=abc123; HttpOnly uses correct spelling and casing. Others have non-standard casing or hyphenation.

      3. Final Answer:

        Set-Cookie: sessionId=abc123; HttpOnly -> Option B

      4. Quick Check:

        HttpOnly attribute uses standard casing [OK]
      Hint: HttpOnly standard casing: capital H and O [OK]
      Common Mistakes:
      • Using lowercase 'httponly'
      • Adding hyphens like 'Http-only'
      • Using all uppercase 'HTTPONLY'
      3. Consider this Set-Cookie header:
      Set-Cookie: id=123; Secure; HttpOnly; SameSite=Strict
      Which of the following is true about this cookie?
      medium
      A. It will only be sent over HTTPS and not accessible via JavaScript.
      B. It will be sent with cross-site requests regardless of origin.
      C. It is not restricted to HTTPS and can be sent over HTTP.
      D. It can be accessed by JavaScript on the client side.

      Solution

      1. Step 1: Analyze Secure and HttpOnly attributes

        Secure means cookie sent only over HTTPS. HttpOnly means JavaScript cannot access it.

      2. Step 2: Understand SameSite=Strict effect

        SameSite=Strict prevents sending cookie with cross-site requests, enhancing security.

      3. Final Answer:

        It will only be sent over HTTPS and not accessible via JavaScript. -> Option A

      4. Quick Check:

        Secure + HttpOnly + SameSite=Strict = HTTPS only, no JS access [OK]
      Hint: Secure + HttpOnly means HTTPS only and no JS access [OK]
      Common Mistakes:
      • Thinking HttpOnly allows JavaScript access
      • Assuming SameSite=Strict allows cross-site sending
      • Ignoring Secure attribute effect
      4. A developer sets a cookie with this header:
      Set-Cookie: token=abc; Secure; SameSite=None
      Users report the cookie is not sent in some browsers. What is the likely issue?
      medium
      A. SameSite=None requires Secure attribute, which is missing.
      B. HttpOnly attribute is missing, causing cookie to be blocked.
      C. SameSite=None is invalid and blocks the cookie.
      D. Secure attribute requires HTTPS, but site uses HTTP.

      Solution

      1. Step 1: Understand Secure attribute requirement

        Secure cookies are only sent over HTTPS connections. If site uses HTTP, cookie won't be sent.

      2. Step 2: Check SameSite=None and Secure relation

        SameSite=None requires Secure attribute to be set, which is done here, so no issue.

      3. Final Answer:

        Secure attribute requires HTTPS, but site uses HTTP. -> Option D

      4. Quick Check:

        Secure cookie + HTTP site = cookie not sent [OK]
      Hint: Secure cookies need HTTPS; HTTP sites block them [OK]
      Common Mistakes:
      • Thinking SameSite=None alone blocks cookies
      • Assuming HttpOnly is required for sending
      • Ignoring HTTPS requirement for Secure
      5. A website wants to protect user session cookies from being stolen via cross-site scripting (XSS) and cross-site request forgery (CSRF). Which combination of cookie attributes best achieves this?
      hard
      A. Secure; HttpOnly; SameSite=Strict
      B. HttpOnly; SameSite=None
      C. Secure; SameSite=Lax
      D. SameSite=Strict only

      Solution

      1. Step 1: Prevent XSS with HttpOnly

        HttpOnly prevents JavaScript access to cookies, reducing XSS risk.

      2. Step 2: Prevent CSRF with SameSite=Strict and Secure

        SameSite=Strict blocks cross-site requests sending cookies, preventing CSRF. Secure ensures cookies sent only over HTTPS, adding protection.

      3. Final Answer:

        Secure; HttpOnly; SameSite=Strict -> Option A

      4. Quick Check:

        HttpOnly + Secure + SameSite=Strict = best XSS and CSRF protection [OK]
      Hint: Use all three: Secure, HttpOnly, SameSite=Strict for best safety [OK]
      Common Mistakes:
      • Using SameSite=None which allows cross-site sending
      • Omitting Secure attribute on HTTPS sites
      • Relying on SameSite only without HttpOnly