5 min read

Secure cookies in Next.js — HttpOnly, Secure, SameSite explained

Misconfigured cookies are how session tokens leak. Here is exactly which flags to set for session, CSRF, and preference cookies in a Next.js app.

Session cookies are how your app keeps a user logged in. If they are not set with the right flags, they are reachable by injected JavaScript, readable over HTTP, or usable cross-origin.

What it is

HTTP cookies ship with a set of flags. `HttpOnly` stops JavaScript from reading them. `Secure` stops them from being sent over HTTP. `SameSite` controls cross-site request inclusion. The right combination depends on what the cookie is for.

Vulnerable example

// Vulnerable: all three flags missing.
cookies().set("session", token, {
  path: "/",
  // httpOnly: missing -> readable by any XSS
  // secure: missing -> sent over HTTP if any link leaks
  // sameSite: missing -> default 'lax', often fine but better explicit
});

Fixed example

// Fixed: full hardening for a session cookie
cookies().set("session", token, {
  path: "/",
  httpOnly: true,
  secure: true,         // HTTPS only
  sameSite: "lax",      // blocks most CSRF; 'strict' for admin-only cookies
  maxAge: 60 * 60 * 24 * 7,
});

How Securie catches it

Securie findingmedium
apps/web/app/api/route.ts:22

Secure cookies in Next.js

Securie audits every cookies().set() and every Set-Cookie emission, flagging any combination that puts a session-class cookie at risk.

Suggested fix — ready as a PR
// Fixed: full hardening for a session cookie
cookies().set("session", token, {
  path: "/",
  httpOnly: true,
  secure: true,         // HTTPS only
  sameSite: "lax",      // blocks most CSRF; 'strict' for admin-only cookies
  maxAge: 60 * 60 * 24 * 7,
});
Catch this in my repo →Securie reviews every PR · proves the issue · ships a verified fix PR

Checklist

  • Session cookies set HttpOnly + Secure + SameSite=lax
  • CSRF-token cookies are NOT HttpOnly (JS needs to read them) but ARE Secure + SameSite=strict
  • maxAge / Expires is set — not session cookies that persist until browser close
  • Domain is not overly broad (avoid .example.com if only app.example.com needs the cookie)
  • HTTPS is strict-enforced site-wide (HSTS header)

FAQ

SameSite strict or lax?

Lax for general session cookies. Strict for admin-area or payment-context cookies. None only when the cookie truly needs cross-site inclusion (third-party embeds) — and then Secure is mandatory.

Share:XHacker NewsRedditLinkedIn

Related guides

Guide
CSRF protection in Next.js — when you need it, when you don't

Next.js App Router apps often skip CSRF protection because they think SameSite cookies are enough. They are not always enough. Here is the specific rule.

Guide
Broken Object-Level Authorization (BOLA) in Next.js apps

BOLA is the top item on the OWASP API Security Top 10 for a reason — every AI coding assistant introduces it by default. Learn what it looks like in Next.js, how to exploit it, and how to fix it.

Guide
Leaked API keys in Next.js — the most common vibe-coded mistake

Every week founders tweet about their OpenAI bill going from $10 to $10,000 overnight. Usually the cause is an API key committed to a public repo. Here is why it happens in Next.js specifically and how to stop it in five minutes.

Guide
Rate limiting in Next.js — the correct way in 2026

Unlimited API endpoints are how $150K OpenAI bills happen. Here is how to add proper rate limiting to a Next.js app using Vercel Edge Middleware, Upstash, or your existing Redis.