Ensure Web App Cookies Have Security Flags
Web apps should use secure cookie settings to protect user sessions.
Plain language
Web applications often need to use small pieces of data called cookies to keep track of users and their sessions. To protect these sessions from bad actors, we need to make sure these cookies are set up correctly with certain 'flags.' If these flags aren’t set, cybercriminals could potentially steal session information, leading to sensitive data loss or unauthorised access.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentSection
Web application developmentOfficial control statement
If supported, web application session cookies set the HttpOnly flag, Secure flag and the SameSite flag by default.
Why it matters
Without HttpOnly, Secure and SameSite cookie flags, sessions can be stolen via XSS/MitM/CSRF, enabling unauthorised access and data breaches.
Operational notes
Test all session cookies default to HttpOnly, Secure and SameSite; validate after releases and via scanner checks that flags aren’t removed or downgraded.
Implementation tips
- Web developers should configure cookies with the HttpOnly flag to add an extra layer of security. This can be done by specifying 'HttpOnly' in the cookie settings so that the cookies cannot be accessed by malicious scripts running in the user's browser.
- Website administrators need to ensure the Secure flag is set on cookies, especially if the site supports HTTPS. This involves configuring server settings to only allow cookies to be transmitted over secure connections (HTTPS), preventing them from being exposed over insecure links.
- Developers should set the SameSite attribute on cookies to control the sharing of cookie data with external sites. This can be done by adding 'SameSite=Strict' or 'SameSite=Lax' to the cookie parameters to prevent cross-site request forgery, a type of malicious exploit.
- IT managers should implement periodic reviews of cookie settings to ensure all new and existing cookies comply with these flags. This can involve setting up automated scans or manual audits of the application's cookie configurations.
- Security teams should work with web developers to understand these settings and reinforce training on why they are important. This can be achieved through workshops and regular briefings to keep the team updated on best practices and risks involved.
Audit / evidence tips
- AskThe cookie configuration documentation for the web app: Check that it describes settings like HttpOnly, Secure, and SameSite flags GoodDocument includes comprehensive settings with explanations of each flag used
- GoodShows no issues identified with cookie security settings or that identified issues were promptly addressed
- AskThe IT team to demonstrate cookie settings in the web server or code configuration: Observe if the cookies are set with the correct security flags (HttpOnly, Secure, SameSite) GoodDemonstration will show these flags being applied consistently across all cookies
- GoodRecord includes date, trainers, topics covered, and attendees
- AskEvidence of automated or manual cookie audits over the past year GoodAudit log is detailed, showing dates, personnel involved, and findings
Cross-framework mappings
How ISM-2063 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.26 | ISM-2063 requires web applications to set session cookies with HttpOnly, Secure and SameSite flags by default where supported | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.