Skip to main content

Cookies

Last updated: 21 March 2025

When setting cookies you should consider their purpose and specify attribute values that reduce security risks. External facing websites that make use of cookies to store data on a user's device must abide by the Privacy and Electronic Communications Regulations 2003.

Requirement(s)

Any cookies that may be created during an external user’s interaction with a website must be detailed in a cookie policy. This must include the name of the cookies, what they are used for, and how long they will be stored.

You MUST determine what cookies are essential

If a cookie is required to perform an action that an external user has requested, for example to track that they have successfully authenticated, then it is termed an essential cookie. These do not require consent from the user but must still be detailed in a cookie policy.

For external facing websites, you must gain consent from the user prior to storing any non-essential cookies. The guidance from the ICO specifies:

To be valid, consent must be freely given, specific and informed. It must involve some form of unambiguous positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving you consent.

You MUST use the HttpOnly attribute when possible

When setting cookies, the HttpOnly attribute can help reduce the risk of cross-site scripting (XSS) attacks by preventing Javascript code from being able to access its content. This form of attack is common and has persistently featured in the OWASP Top 10, which monitors the most significant security risks to web applications.

You MUST use the Secure attribute

When setting cookies, the Secure attribute specifies that the browser should only send the cookie back to requests using the HTTPS protocol. This makes it more difficult for unauthorised parties to observe the value of the cookie when it is sent from the user’s device to the server.

You MUST scope cookies appropriately

When setting cookies, the Domain and Path attributes describe the URLs to which the cookies should be sent. By specifying appropriate values for these attributes you can reduce the risk of cookies being sent unnecessarily to other websites on the same domain that do not need them.