cookies
Set-Cookie
Server instructs the client to store a cookie with attributes governing lifetime, scope, and security. Each cookie needs its own Set-Cookie header — they are the one HTTP header that MUST NOT be comma-folded.
Set-Cookie: <name>=<value>[; Expires=<date>] [; Max-Age=<seconds>] [; Domain=<host>] [; Path=<path>] [; Secure] [; HttpOnly] [; SameSite=Strict|Lax|None] [; Partitioned] Common directives / values
| Directive | Purpose |
|---|---|
| Secure | Only sent over HTTPS. |
| HttpOnly | Not accessible to document.cookie — mitigates XSS token theft. |
| SameSite=Lax | Default in modern browsers; sent on top-level GET navigations, not cross-site subrequests. |
| SameSite=Strict | Never sent on cross-site requests, even top-level. |
| SameSite=None | Sent on all cross-site requests — requires Secure. |
| Max-Age=<seconds> | Lifetime in seconds; overrides Expires. |
| Partitioned | CHIPS — cookie is keyed to the top-level site (privacy sandbox). |
| Domain=<host> | Scope cookie to a host and its subdomains (leading dot is legacy/ignored). |
Examples
Set-Cookie: session=abc123; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=3600 Standard hardened session cookie.
Set-Cookie: __Host-csrf=xyz; Path=/; Secure; SameSite=Strict __Host- prefix: no Domain, Path=/, Secure — most-scoped and safest.
Set-Cookie: consent=1; Max-Age=0 Delete a cookie by setting Max-Age=0 (or an Expires date in the past).
Set-Cookie: ads=1; Secure; SameSite=None; Partitioned Third-party cookie under CHIPS — partitioned per top-level site.
Gotcha
SameSite=None requires Secure — browsers reject it otherwise. Set-Cookie is the ONE header that must not be combined with commas; sending multiple cookies means multiple Set-Cookie lines.
Related headers
Cookie
Client sends previously stored cookies that match the request's origin, path, and Secure/SameSite constraints. All applicable name=value pairs are concatenated into a single header.
Access-Control-Allow-Credentials
Signals that the response may be shared with the requesting origin even when the request was made with credentials (cookies, HTTP auth, or client TLS certs). The only legal value is the literal string 'true'.
Strict-Transport-Security
HSTS instructs browsers to only connect over HTTPS for max-age seconds, upgrading any http:// URL and refusing to bypass TLS warnings. Once cached the policy is sticky for the whole duration.
Referrer-Policy
Controls how much of the current URL is sent as the Referer header on outgoing requests and navigations. Tightening it limits leakage of query strings, session tokens, and internal paths to third parties.