SiteAlertAI SiteAlertAI
⬡ Web Scan 🔒 SSL/TLS 📬 MX Record ✉ Email Header 🎣 URL Check 🌍 IP Geo
⬡ Web Scan 🔒 SSL/TLS 📬 MX Record ✉ Email Header 🎣 URL Check 🌍 IP Geo
← All guides

__Host- and __Secure- Cookie Prefixes Explained

Cookie name prefixes are a browser-enforced way to guarantee a cookie was set with specific security attributes. They are a simple, powerful defence against cookie injection and fixation.

The rules

A cookie named with the __Secure- prefix must carry the Secure attribute. A cookie named with the __Host- prefix must have Secure, a Path of /, and NO Domain attribute — which binds it to the exact host. Browsers reject cookies that break these rules, so a mistake fails safe.

When to use them

Use __Host- for session and CSRF cookies that should never be shared across subdomains. The prefix stops a compromised or malicious subdomain from writing a cookie that your main host would trust.

🛰 Audit your cookies →

Related guides

  • What Is HSTS and How Do I Enable It?
  • Content-Security-Policy Explained (and How to Fix a Weak One)
  • Mixed Content: Why Your HTTPS Padlock Breaks
SiteAlertAI · © 2026 All rights reserved · Built for security professionals and developers.
Blog Guides Privacy Terms About Contact Social

⚠ For authorised security testing only. Scanning domains you do not own may violate laws in your jurisdiction. SiteAlertAI accepts no liability for misuse. CVE data is indicative — verify with NVD.