What about localhost?

Secure cookies do work on localhost in modern browsers (Chrome 89+, Firefox 75+). If yours do not, set them conditionally based on NODE_ENV.

Medium severity

How to fix cookies without the Secure flag

One of your cookies is set without the `Secure` attribute. This means the browser will send it over plain HTTP — readable by anyone on the same Wi-Fi network. Every cookie on an HTTPS site should have `Secure`. The fix is one attribute in your `Set-Cookie` header: `; Secure`. Update wherever your app sets cookies (auth middleware, session library, framework config).

Why it matters

Session cookies without Secure can be intercepted on public Wi-Fi and used to impersonate the user. HSTS helps but does not replace this — Secure is a defense at the cookie level.

How to check

01DevTools → Application → Cookies → check each cookie.
02The `Secure` column should be true for every cookie on an HTTPS site.
03For session/auth cookies, HttpOnly and SameSite should also be set.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Next.js cookies

When setting cookies in Route Handlers or middleware, always pass secure.

import { cookies } from 'next/headers';

const cookieStore = await cookies();
cookieStore.set({
  name: 'session',
  value: token,
  httpOnly: true,
  secure: true,
  sameSite: 'lax',
  path: '/',
  maxAge: 60 * 60 * 24 * 7,
});

Generic

Add `Secure` to every cookie.

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax; Path=/

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

Audit every place my app sets cookies. For each cookie, add the Secure, HttpOnly, and SameSite=Lax attributes (or SameSite=Strict for auth cookies). Explain any cookie where I need JavaScript access and cannot use HttpOnly.

FAQ

Frequently asked questions

What about localhost?: Secure cookies do work on localhost in modern browsers (Chrome 89+, Firefox 75+). If yours do not, set them conditionally based on NODE_ENV.

Related fix guides

Fix these too

Cookie missing HttpOnly

HttpOnly stops JavaScript from reading a cookie, which is critical for session tokens. Here is when and how to set it.

Cookie missing SameSite

SameSite controls whether cookies are sent on cross-site requests — the main defense against CSRF. Here is how to set it.

Missing HSTS header

HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.

Learn the concepts

Glossary

SameSite Cookie Attribute

SameSite controls whether the browser sends your cookie on cross-site requests. The main defense against CSRF.

Free tools

Check this yourself

Cookie audit

Check Secure, HttpOnly, and SameSite flags on every cookie.

Platform guides

Building on these platforms?

Next.js security

Next.js is the most popular React framework, but even experienced developers miss security headers and accidentally expose server files in production.

Vercel security

Vercel handles hosting and SSL, but your application code still needs security hardening. Missing CSP headers and exposed environment variables are the top issues.

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.