What is the difference between HttpOnly and Secure?

HttpOnly prevents JavaScript from reading the cookie (XSS protection). Secure ensures the cookie is only sent over HTTPS. Both should be set for sensitive cookies.

What does SameSite=Lax mean?

SameSite=Lax sends the cookie on top-level navigations (clicking a link) but not on cross-site subrequests (images, iframes, AJAX). It is the default in modern browsers.

What is the difference between Max-Age and Expires?

Max-Age sets a relative expiry in seconds from now. Expires sets an absolute date. Max-Age takes precedence when both are set. Omitting both creates a session cookie.

What is a Partitioned cookie (CHIPS)?

Partitioned cookies are isolated per top-level site, preventing cross-site tracking. They require Secure and SameSite=None attributes.

Tools

Set-Cookie Builder

Compose a Set-Cookie header visually. Toggle security attributes, set expiry, and see the generated header with a plain-English explanation of each attribute.

Generated Header

Set-Cookie: session_id=abc123; Path=/; SameSite=Lax; HttpOnly

Plain English

🍪 Sets a cookie named "session_id" with value "abc123".

🔒 HttpOnly — JavaScript cannot access this cookie (XSS protection).

🛡️ SameSite=Lax — sent on top-level navigations but not on cross-site subrequests.

🔄 Session cookie — deleted when the browser closes.

Cookie Value

Name

The cookie identifier.

Value

The cookie payload.

Domainref →

Omit to restrict to the exact host (most secure).

Pathref →

URL path prefix where the cookie is sent.

Attributes

Max-Age (seconds)ref →

Time until expiry. Overrides Expires.

Expiresref →

Absolute expiry date.

SameSiteref →

Controls cross-site sending behavior.

Secure — HTTPS only ref →HttpOnly — no JS access ref →Partitioned — CHIPS isolation

Cookie Reference

Browse all cookie attributes: Secure, HttpOnly, SameSite, Max-Age, Expires, Domain, Path. See also the Cookie Security guide and Set-Cookie header reference.