- Are automatically added to requests, regardless of origin
Cookie flags
SameSite
Controls whether cookies are sent with cross-site requests,
Options are:
- Lax
- Strict
HttpOnly
Prevents JS access, protecting against XSS attacks.
Yet, I believe they can be accessed by browser extensions.
Secure
Only sendings cookies over HTTPS, therefore via en encrypted connection.