cookies

Set-Cookie

Server instructs the client to store a cookie with attributes governing lifetime, scope, and security. Each cookie needs its own Set-Cookie header — they are the one HTTP header that MUST NOT be comma-folded.

Set-Cookie: <name>=<value>[; Expires=<date>] [; Max-Age=<seconds>] [; Domain=<host>] [; Path=<path>] [; Secure] [; HttpOnly] [; SameSite=Strict|Lax|None] [; Partitioned]

Common directives / values

Directive Purpose
Secure Only sent over HTTPS.
HttpOnly Not accessible to document.cookie — mitigates XSS token theft.
SameSite=Lax Default in modern browsers; sent on top-level GET navigations, not cross-site subrequests.
SameSite=Strict Never sent on cross-site requests, even top-level.
SameSite=None Sent on all cross-site requests — requires Secure.
Max-Age=<seconds> Lifetime in seconds; overrides Expires.
Partitioned CHIPS — cookie is keyed to the top-level site (privacy sandbox).
Domain=<host> Scope cookie to a host and its subdomains (leading dot is legacy/ignored).

Examples

Set-Cookie: session=abc123; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=3600

Standard hardened session cookie.

Set-Cookie: __Host-csrf=xyz; Path=/; Secure; SameSite=Strict

__Host- prefix: no Domain, Path=/, Secure — most-scoped and safest.

Set-Cookie: consent=1; Max-Age=0

Delete a cookie by setting Max-Age=0 (or an Expires date in the past).

Set-Cookie: ads=1; Secure; SameSite=None; Partitioned

Third-party cookie under CHIPS — partitioned per top-level site.

Gotcha

SameSite=None requires Secure — browsers reject it otherwise. Set-Cookie is the ONE header that must not be combined with commas; sending multiple cookies means multiple Set-Cookie lines.

Related headers

← All HTTP headers · HTTP status codes · Fix CORS errors