Cookie security attributes

Secure attribute

The Secure attribute is automatically set on any cookie with "-S" suffix.

HttpOnly attribute

To prevent scripting access and mitigate cookie stealing, Airlock session cookies have the HttpOnly flag set and are not accessible for active client-side components like JavaScript, Flash, ActiveX, Java Applets, etc. The flag is also set for load balancing cookies but not for CSRF token cookies because the CSRF protection feature can not work if the flag is set.

SameSite attribute

The SameSite attribute is set to the enforcement mode Lax for the Airlock session cookies to prevent CSRF attacks. The SameSite mode for CSRF token cookies is set to Strict. The attribute is not set for the load balancing cookie, because this cookie is not security-critical.