Learning Path
Ship Secure Auth and Cookies
A security-focused path for login state, browser credentials, and defensive HTTP defaults.
Built for: Engineers building web auth, session handling, and browser-facing APIs.
What you should get from this path
- Choose safer cookie defaults for production.
- Understand the tradeoffs between cookies, sessions, and auth headers.
- Avoid common CORS, CSRF, and token-handling mistakes.
Read the foundational guides
These explain the threat model before you choose implementation details.
HTTP Authentication Methods and Best Practices
A comprehensive guide to HTTP authentication methods including Basic Auth, Bearer tokens, API keys, and OAuth 2.0.
Covers the core authentication flows, credentials, and HTTP-level choices.
Cookie Security: HttpOnly, SameSite, and Secure Flags
A comprehensive guide to understanding and implementing secure HTTP cookies to protect against XSS, CSRF, and session hijacking attacks.
Focuses on HttpOnly, SameSite, Secure, CSRF, and XSS tradeoffs.
HTTP Sessions and State Management Explained
Learn how to manage user state and sessions in stateless HTTP applications using cookies, tokens, and server-side storage.
Connects browser state, server sessions, and practical application behavior.
Cross-Origin Resource Sharing (CORS)
Master Cross-Origin Resource Sharing (CORS) for secure cross-origin HTTP requests. Learn preflight requests, headers, credentials, and common error solutions.
Important when browser credentials cross origins or preflights enter the flow.
Use the right references
Keep the policy-setting headers and cookie attributes close at hand.
Set-Cookie
Learn how the Set-Cookie header instructs browsers to store cookies with attributes like HttpOnly, Secure, SameSite, and expiration settings.
The central reference for how cookie attributes are encoded and sent.
HttpOnly Cookie Attribute: XSS Protection
Learn how the HttpOnly cookie attribute protects against XSS attacks by preventing JavaScript access to sensitive cookies.
Explains the default you usually want for browser-managed auth cookies.
Secure
Learn how the Secure cookie attribute ensures cookies are only sent over HTTPS connections. Protect sensitive data from man-in-the-middle attacks.
Makes clear why sensitive cookies should only travel over HTTPS.
SameSite Cookie Attribute: CSRF Protection
Learn how the SameSite cookie attribute prevents CSRF attacks, the differences between Strict, Lax, and None, and when to use each.
The most important browser-side control for CSRF risk.
Authorization Header: HTTP Authentication
Learn how the Authorization header works, different authentication schemes (Bearer, Basic, API keys), and security best practices.
Use this to compare bearer-token patterns against cookie-based auth.
Compare and validate your choices
These pages help you decide, then test the resulting configuration.
Cookie-Based vs Session-Based Auth
Side-by-side breakdown of browser cookies, server sessions, and their tradeoffs.
Clarifies which state model fits your application and threat model.
Set-Cookie Builder
Compose a Set-Cookie header visually with safe defaults and validation.
Lets you verify attribute combinations before shipping them.
Header Inspector
Inspect live responses to confirm cookies and security headers are present.
Useful for checking what your app is actually sending in production.
More Learning Paths
Debug HTTP Problems in Production
A pragmatic troubleshooting stack for the failures engineers see most often.
Learn HTTP Fundamentals
A structured route through the core primitives, message flow, and debugging basics.
Improve HTTP Performance and Caching
A practical path for faster responses, safer caching, and better client-server efficiency.