Product
Rust Support Now in Beta
Socket's Rust support is moving to Beta: all users can scan Cargo projects and generate SBOMs, including Cargo.toml-only crates, with Rust-aware supply chain checks.
By Mikola Lysenko, Trevor Norris - Sep 11, 2025
@hint/hint-validate-set-cookie-header
Advanced tools
@hint/hint-validate-set-cookie-header
hint for best practices related to the usage of the Set-Cookie response header.
Valid Set-Cookie header (validate-set-cookie-header)
This hint validates the set-cookie header and confirms that
the Secure and HttpOnly directives are defined when sent from
a secure origin (HTTPS).
Why is this important?
A cookie is a small piece of information sent from a server to
a user agent. The user agent might save it and send it along with
future requests to identify the user session, track and analyze
user behavior or inform the server of the user preferences. As a
result, it contains sensitive data in a lot of the cases. To create
a cookie, the Set-Cookie header is sent from a server in response
to requests.
In the Set-Cookie header, a cookie is defined by a name associated
with a value. A web server can configure the domain and path
directives to restrain the scope of cookies. While session cookies
are deleted when a browser shuts down, the permanent cookies expire
at the time defined by Expires or Max-Age.
Among the directives, the Secure and HttpOnly attributes are
particularly relevant to the security of cookies:
- Setting
Securedirective forbids a cookie to be transmitted via simple HTTP. - Setting the
HttpOnlydirective prevents access to cookie value through javascript.
Applying both directives makes it difficult to exploit cross-site
scripting (XSS) vulnerabilities and hijack the authenticated
user sessions. The wiki page of HTTP cookies
offers detailed examples of cookie theft and proxy
request when cookies are not well protected. According
to the RFC HTTP State Management Mechanism, "When using cookies over a secure channel, servers SHOULD
set the Secure attribute for every cookie". As a result, this hint
checks if Secure and HttpOnly directives are properly used and
offers to validate the Set-Cookie header syntax.
Note: More information about Set-cookie header is available in the
MDN web docs.
What does the hint check?
-
SecureandHttpOnlycookies:SecureandHttpOnlydirectives should be present if sites are secure.Securedirective should not be present if sites are insecure.
-
Cookie prefixes:
-
__Secure-and__Host-prefixes can be used only if sites are secure. -
Cookies with the
__Host-prefix should have apathof "/" (the entire host) and should not have adomainattribute.Read more: cookie prefixes.
-
-
Syntax validation:
- Validate cookie name and value string.
- Validate
Expiresvalue date format.
-
Browser compatibility of
Max-Agedirective:- Some browsers (ie6, ie7, and ie8) don’t support
Max-Age.
- Some browsers (ie6, ie7, and ie8) don’t support
Examples that trigger the hint
Set-Cookie header that doesn’t have a name-value string:
HTTP/... 200 OK
...
Set-Cookie: Max-Age=0; Secure; HttpOnly
Set-Cookie header that doesn’t have the Secure directive:
HTTP/... 200 OK
...
Set-Cookie: cookieName=cookieValue; HttpOnly
Set-Cookie header that doesn’t have the HttpOnly directive:
HTTP/... 200 OK
...
Set-Cookie: cookieName=cookieValue; Secure
Set-Cookie header that has invalid name or value string:
HTTP/... 200 OK
...
Set-Cookie: "cookieName"=cookieValue; Secure; HttpOnly
HTTP/... 200 OK
...
Set-Cookie: cookieName=cookie value; Secure; HttpOnly
Set-Cookie header that has prefixes in the cookie name but is sent
from pages using http protocol:
From an insecure origin (HTTP):
HTTP/... 200 OK
...
Set-Cookie: __Secure-ID=123; Secure; Domain=example.com
Set-Cookie header that has __Host- prefix in the cookie name but
has Path absent or Domain defined:
HTTP/... 200 OK
...
Set-Cookie: __Host-id=1; Secure
HTTP/... 200 OK
...
Set-Cookie: __Host-id=1; Secure; Path=/; domain=example.com
Examples that pass the hint
HTTP/... 200 OK
...
Set-Cookie: cookieName=cookieValue; Secure; HttpOnly
HTTP/... 200 OK
...
Set-Cookie: cookieName="cookieValue"; Secure; HttpOnly
HTTP/... 200 OK
...
Set-Cookie: __Host-ID=123; Secure; Path=/; HttpOnly
HTTP/... 200 OK
...
Set-Cookie: __Secure-ID=123; Secure; Domain=example.com; HttpOnly
How to use this hint?
This package is installed automatically by webhint:
npm install hint --save-dev
To use it, activate it via the .hintrc configuration file:
{
"connector": {...},
"formatters": [...],
"hints": {
"validate-set-cookie-header": "error",
...
},
"parsers": [...],
...
}
Note: The recommended way of running webhint is as a devDependency of
your project.
Keywords
FAQs
Package last updated on 29 Aug 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Product
Announcing Socket Fix 2.0
Socket Fix 2.0 brings targeted CVE remediation, smarter upgrade planning, and broader ecosystem support to help developers get to zero alerts.
By Martin Torp, John-David Dalton, Jeppe Fredsgaard Blaabjerg, Benjamin Barslev, Oskar Haarklou Veileborg - Sep 10, 2025
Security News
Feross on Risky Business Weekly Podcast: npm’s Ongoing Supply Chain Attacks
Socket CEO Feross Aboukhadijeh joins Risky Business Weekly to unpack recent npm phishing attacks, their limited impact, and the risks if attackers get smarter.
By Sarah Gooding - Sep 10, 2025