Fix
Insecure Cookies
Ensure auth cookies are Secure, HttpOnly, and have an appropriate SameSite policy.
InfoCategory: security
Fix steps
- Mark auth/session cookies as Secure (HTTPS only).
- Use HttpOnly for cookies that should not be read by JS.
- Set SameSite=Lax or Strict unless cross-site auth is required.
- Rotate secrets if exposure is suspected.