With the introduction of strict secure cookies, browsers won’t allow overwriting secure cookies from insecure origins.

Cookies were invented before the same-origin policy was formalized. That is why historically they have had a little bit peculiar rules about which webpage can set which cookie. Specifically, it was possible to set a secure, HTTPS cookie from an insecure HTTP site. This “cookie clobbering” makes it possible for man-in-the-middle attackers to write cookies for a site that is protected by HTTPS. This problem was recently fixed by the introduction of strict secure cookies.

Strict secure cookies

The strict secure cookies specification is an addendum to the specification on the behavior of cookies, which aims to “deprecate modification of ‘secure’ cookies from non-secure origins”. It states that exising cookies with a “secure” flag can’t be overwritten by insecure hosts. So http://example.com/ can’t overwrite a secure cookie on https://example.com/, something which was possible before. After the specification was finalized, this new behavior was soon implemented in browsers, and in modern browsers secure cookies can no longer be overwritten.

Don’t remove your cookies

Secure cookies can’t be overwritten, but insecure sites can still create new cookies. This means that if a user does not have a secure cookie for https://example.com/, the insecure http://example.com/ can still write a secure cookie for https://example.com. If a cookie is set, it is protected from being overwritten from an insecure host. If a cookie is absent, it can still be written.

The result of this is that cookies are better secured if they are not deleted on logout. Instead of deleting the cookie, write some garbage into it. By letting the cookie exist it is protected from being overwritten.

An even better alternative is to use cookie prefixes. A cookie prefixed with __Secure- or __Host- can’t be written by an insecure host, whether it already exists or not.


Strict secure cookies improve the security of secure cookies. It is currently implemented in browsers, and websites don’t have to change anything to get advantage of it.

Read more