What about localhost?

Secure cookies do work on localhost in modern browsers (Chrome 89+, Firefox 75+). If yours do not, set them conditionally based on NODE_ENV.

Medium severity · Next.js

Cookie missing Secure flag on Next.js

One of your cookies is set without the `Secure` attribute. This means the browser will send it over plain HTTP — readable by anyone on the same Wi-Fi network. Every cookie on an HTTPS site should have `Secure`. The fix is one attribute in your `Set-Cookie` header: `; Secure`. Update wherever your app sets cookies (auth middleware, session library, framework config).

The fix for Next.js

Next.js cookies

When setting cookies in Route Handlers or middleware, always pass secure.

import { cookies } from 'next/headers';

const cookieStore = await cookies();
cookieStore.set({
  name: 'session',
  value: token,
  httpOnly: true,
  secure: true,
  sameSite: 'lax',
  path: '/',
  maxAge: 60 * 60 * 24 * 7,
});

Why it matters

Session cookies without Secure can be intercepted on public Wi-Fi and used to impersonate the user. HSTS helps but does not replace this — Secure is a defense at the cookie level.

Confirm the fix worked

Scan your Next.js site to confirm this finding is gone.

AI prompt

Apply across your codebase

Paste this into Cursor, Lovable, Bolt, v0, or Claude Code.

Audit every place my app sets cookies. For each cookie, add the Secure, HttpOnly, and SameSite=Lax attributes (or SameSite=Strict for auth cookies). Explain any cookie where I need JavaScript access and cannot use HttpOnly.

FAQ

Frequently asked questions

What about localhost?: Secure cookies do work on localhost in modern browsers (Chrome 89+, Firefox 75+). If yours do not, set them conditionally based on NODE_ENV.

Related fix guides

Glossary

SameSite Cookie Attribute

SameSite controls whether the browser sends your cookie on cross-site requests. The main defense against CSRF.

Free tools

Spot-check this

Cookie audit

Check Secure, HttpOnly, and SameSite flags on every cookie.