Cookie Security in Node.js Explained
Cookies have several security flags. Here is what each does and how to use them.
Cookie Security in Node.js Explained
Cookies have several security flags. Getting them right is the difference between a safe cookie and a leak. Here is what each does.
httpOnly
httpOnly: true means scripts cannot read the cookie. Only the browser sends it on requests. Protects against XSS-driven cookie theft.
secure
secure: true means the cookie is only sent over HTTPS. Without it, the cookie is sent over HTTP too, where a man-in-the-middle can read it. Always use HTTPS in production.
sameSite
Controls when the cookie is sent on cross-site requests.
- 'strict': never sent on cross-site requests. Strongest CSRF protection.
- 'lax': sent on top-level navigations (e.g., clicking a link to your site). Good balance.
- 'none': always sent (requires secure: true). Use only for third-party embeds.
maxAge or expires
maxAge is in milliseconds. expires is a Date. Set it to match the token's expiry. Otherwise the cookie outlives the token.
domain
Defaults to the current domain. Set explicitly if you want subdomains to share the cookie: domain: '.example.com' makes it available to app.example.com and api.example.com.
path
Defaults to '/'. Restrict to a specific path if needed: path: '/admin' makes the cookie only sent to /admin requests.
signed
signed: true with cookie-parser(secret) signs the cookie. The server can detect tampering. Useful for cookies that should not be JWTs (e.g., a session id).
Setting a Cookie
res.cookie('token', jwt, {
httpOnly: true,
secure: true,
sameSite: 'lax',
maxAge: 7 * 24 * 60 * 60 * 1000
});
Clearing a Cookie
res.clearCookie('token', {
httpOnly: true,
secure: true,
sameSite: 'lax'
});
Pass the same options you used to set it. Otherwise the browser may not match the cookie and it will not be cleared.
CSRF and Cookies
With sameSite: 'lax' or 'strict', CSRF is largely handled because cross-site requests do not include the cookie. For 'none', you need CSRF tokens (e.g., csurf middleware).
The Takeaway
Cookie security flags: httpOnly (no script access), secure (HTTPS only), sameSite ('lax' or 'strict' for CSRF protection), maxAge matching the token expiry, domain for subdomain sharing, path for restriction, and signed for tamper detection. Clear with the same options. CSRF is largely handled by sameSite.
httpOnly (no script access), secure (HTTPS only), sameSite ('lax' or 'strict' for CSRF protection), maxAge (match token expiry), domain (for subdomain sharing), path (for restriction), and signed (tamper detection with cookie-parser).
Scripts cannot read the cookie. Only the browser sends it on requests. Protects against XSS-driven cookie theft. Without httpOnly, any script (including injected ones) can read the cookie.
Controls when the cookie is sent on cross-site requests. 'strict' never sends it cross-site (strongest CSRF protection). 'lax' sends it on top-level navigations (good balance). 'none' always sends it (requires secure: true; use only for third-party embeds).
Otherwise the browser may not match the cookie and it will not be cleared. If you set httpOnly, secure, sameSite, you must clear with the same options. Otherwise the user stays logged in.
With sameSite 'lax' or 'strict', CSRF is largely handled because cross-site requests do not include the cookie. For sameSite 'none' (third-party embeds), you need CSRF tokens (e.g., csurf middleware).
Ready to master Node.js completely?
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.
Master Node.js
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course.

