← All guides
__Host- and __Secure- Cookie Prefixes Explained
Cookie name prefixes are a browser-enforced way to guarantee a cookie was set with specific security attributes. They are a simple, powerful defence against cookie injection and fixation.
The rules
A cookie named with the __Secure- prefix must carry the Secure attribute. A cookie named with the __Host- prefix must have Secure, a Path of /, and NO Domain attribute — which binds it to the exact host. Browsers reject cookies that break these rules, so a mistake fails safe.
When to use them
Use __Host- for session and CSRF cookies that should never be shared across subdomains. The prefix stops a compromised or malicious subdomain from writing a cookie that your main host would trust.