ℹ️ Skipped - page is already crawled
| Filter | Status | Condition | Details |
|---|---|---|---|
| HTTP status | PASS | download_http_code = 200 | HTTP 200 |
| Age cutoff | PASS | download_stamp > now() - 6 MONTH | 0.1 months ago |
| History drop | PASS | isNull(history_drop_reason) | No drop reason |
| Spam/ban | PASS | fh_dont_index != 1 AND ml_spam_score = 0 | ml_spam_score=0 |
| Canonical | PASS | meta_canonical IS NULL OR = '' OR = src_unparsed | Not set |
| Property | Value |
|---|---|
| URL | https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies |
| Last Crawled | 2026-04-09 14:34:34 (1 day ago) |
| First Indexed | 2025-03-14 01:01:51 (1 year ago) |
| HTTP Status Code | 200 |
| Meta Title | Using HTTP cookies - HTTP | MDN |
| Meta Description | A cookie (also known as a web cookie or browser cookie) is a small piece of data a server sends to a user's web browser. The browser may store cookies, create new cookies, modify existing ones, and send them back to the same server with later requests. Cookies enable web applications to store limited amounts of data and remember state information; by default the HTTP protocol is stateless. |
| Meta Canonical | null |
| Boilerpipe Text | What cookies are used for
Typically, the server will use the contents of HTTP cookies to determine whether different requests come from the same browser/user and then issue a personalized or generic response as appropriate. The following describes a basic user sign-in system:
The user sends sign-in credentials to the server, for example via a form submission.
If the credentials are correct, the server updates the UI to indicate that the user is signed in, and responds with a cookie containing a session ID that records their sign-in status on the browser.
At a later time, the user moves to a different page on the same site. The browser sends the cookie containing the session ID along with the corresponding request to indicate that it still thinks the user is signed in.
The server checks the session ID and, if it is still valid, sends the user a personalized version of the new page. If it is not valid, the session ID is deleted and the user is shown a generic version of the page (or perhaps shown an "access denied" message and asked to sign in again).
Cookies are mainly used for three purposes:
Session management
: User sign-in status, shopping cart contents, game scores, or any other user session-related details that the server needs to remember.
Personalization
: User preferences such as display language and UI theme.
Tracking
: Recording and analyzing user behavior.
Data storage
In the early days of the web when there was no other option, cookies were used for general client-side data storage purposes. Modern storage APIs are now recommended, for example the
Web Storage API
(
localStorage
and
sessionStorage
) and
IndexedDB
.
They are designed with storage in mind, never send data to the server, and don't come with other drawbacks of using cookies for storage:
Browsers are generally limited to a maximum number of cookies per domain (varies by browser, generally in the hundreds), and a maximum size per cookie (usually 4KB). Storage APIs can store larger amounts of data.
Cookies are sent with every request, so they can worsen performance (for example on slow mobile data connections), especially if you have a lot of cookies set.
Note:
To see stored cookies (and other storage that a web page is using) you can use the
Storage Inspector
in Firefox Developer Tools, or the
Application panel
in Chrome Developer Tools.
Creating, removing, and updating cookies
After receiving an HTTP request, a server can send one or more
Set-Cookie
headers with the response, each one of which will set a separate cookie. A cookie is set by specifying a name-value pair like this:
http
Set-Cookie: <cookie-name>=<cookie-value>
The following HTTP response instructs the receiving browser to store a pair of cookies:
http
HTTP/2.0 200 OK
Content-Type: text/html
Set-Cookie: yummy_cookie=chocolate
Set-Cookie: tasty_cookie=strawberry
[page content]
Note:
Find out how to use the
Set-Cookie
header in various server-side languages/frameworks:
PHP
,
Node.js
,
Python
,
Ruby on Rails
.
When a new request is made, the browser usually sends previously stored cookies for the current domain back to the server within a
Cookie
HTTP header:
http
GET /sample_page.html HTTP/2.0
Host: www.example.org
Cookie: yummy_cookie=chocolate; tasty_cookie=strawberry
Removal: defining the lifetime of a cookie
You can specify an expiration date or time period after which the cookie should be deleted and no longer sent. Depending on the attributes set within the
Set-Cookie
header when the cookies are created, they can be either
permanent
or
session
cookies:
Permanent cookies are deleted after the date specified in the
Expires
attribute:
http
Set-Cookie: id=a3fWa; Expires=Thu, 31 Oct 2021 07:28:00 GMT;
or after the period specified in the
Max-Age
attribute:
http
Set-Cookie: id=a3fWa; Max-Age=2592000
Note:
Expires
has been available for longer than
Max-Age
, however
Max-Age
is less error-prone, and takes precedence when both are set. The rationale behind this is that when you set an
Expires
date and time, they're relative to the client the cookie is being set on. If the server is set to a different time, this could cause errors.
Session
cookies — cookies without a
Max-Age
or
Expires
attribute – are deleted when the current session ends. The browser defines when the "current session" ends, and some browsers use
session restoring
when restarting. This can cause session cookies to last indefinitely.
Note:
If your site authenticates users, it should regenerate and resend session cookies, even ones that already exist, whenever a user authenticates. This approach helps prevent
session fixation
attacks, where a third-party can reuse a user's session.
To immediately remove a cookie, set the cookie again with the same name, path, and domain (if specified), and set its
Expires
attribute to a date in the past or its
Max-Age
attribute to
0
or negative. This instructs the browser to delete the cookie right away. For example:
http
Set-Cookie: id=a3fWa; Max-Age=0
You can also clear all cookies associated with a registrable domain using the
Clear-Site-Data
response header.
For example, the following header sent from
https://foo.example.com/
would clear all cookies sent by
example.com
and all of its subdomains, such as
all.bar.example.com
.
http
Clear-Site-Data: "cookies"
There are some techniques designed to recreate cookies after they're deleted. These are known as "zombie" cookies. These techniques violate the principles of user
privacy
and control, may violate
data privacy regulations
, and could expose a website using them to legal liability.
Updating cookie values
To update a cookie via HTTP, the server can send a
Set-Cookie
header with the existing cookie's name and a new value. For example:
http
Set-Cookie: id=new-value
There are several reasons why you might want to do this, for example if a user has updated their preferences and the application wants to reflect the changes in client-side data (you could also do this with a client-side storage mechanism such as
Web Storage
).
Updating cookies via JavaScript
In the browser, you can create new cookies via JavaScript using the
Document.cookie
property, or the asynchronous
Cookie Store API
. Note that all examples below use
Document.cookie
, as it is the most widely supported/established option.
js
document.cookie = "yummy_cookie=chocolate";
document.cookie = "tasty_cookie=strawberry";
You can also access existing cookies and set new values for them:
js
console.log(document.cookie);
// logs "yummy_cookie=chocolate; tasty_cookie=strawberry"
document.cookie = "yummy_cookie=blueberry";
console.log(document.cookie);
// logs "tasty_cookie=strawberry; yummy_cookie=blueberry"
For security purposes, you can't change cookie values by sending an updated
Cookie
header directly when initiating a request, for example, via
fetch()
or
XMLHttpRequest
.
There are good reasons why you shouldn't allow JavaScript to modify cookies at all. You can prevent JavaScript from accessing a cookie by specifying the
HttpOnly
attribute during its creation. See the
Security
section for more details.
Security
When you store information in cookies, by default all cookie values are visible to, and can be changed by, the end user. You really don't want your cookies to be misused — for example accessed/modified by bad actors, or sent to domains where they shouldn't be sent. The potential consequences can range from annoying — apps not working or exhibiting strange behavior — to catastrophic. A criminal could for example steal a session ID and use it to set a cookie that makes it look like they are logged in as someone else, taking control of their bank or e-commerce account in the process.
You can secure your cookies in a variety of ways, which are reviewed in this section.
Block access to your cookies
You can ensure that cookies are sent securely and aren't accessed by unintended parties or scripts in one of two ways: with the
Secure
attribute and the
HttpOnly
attribute:
http
Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly
A cookie with the
Secure
attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost), which means
man-in-the-middle
attackers can't access it easily. Insecure sites (with
http:
in the URL) can't set cookies with the
Secure
attribute. However, don't assume that
Secure
prevents all access to sensitive information in cookies. For example, someone with access to the client's hard disk (or JavaScript if the
HttpOnly
attribute isn't set) can read and modify the information.
A cookie with the
HttpOnly
attribute can't be accessed by JavaScript, for example using
Document.cookie
; it can only be accessed when it reaches the server. Cookies that persist user sessions for example should have the
HttpOnly
attribute set — it would be really insecure to make them available to JavaScript. This precaution helps mitigate cross-site scripting (
XSS
) attacks.
Note:
Depending on the application, you may want to use an opaque identifier that the server looks up rather than storing sensitive information directly in cookies, or investigate alternative authentication/confidentiality mechanisms such as
JSON Web Tokens
.
Define where cookies are sent
The
Domain
and
Path
attributes define the
scope
of a cookie: what URLs the cookies are sent to.
The
Domain
attribute specifies which server can receive a cookie. If specified, cookies are available on the specified server and its subdomains. For example, if you set
Domain=mozilla.org
from
mozilla.org
, cookies are available on that domain and subdomains like
developer.mozilla.org
.
http
Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly; Domain=mozilla.org
If the
Set-Cookie
header does not specify a
Domain
attribute, the cookies are available on the server that sets it
but not on its subdomains
. Therefore, specifying
Domain
is less restrictive than omitting it.
Note that a server can only set the
Domain
attribute to its own domain or a parent domain, not to a subdomain or some other domain.
So, for example, a server with domain
foo.example.com
could set the attribute to
example.com
or
foo.example.com
, but not
bar.foo.example.com
or
elsewhere.com
(the cookies would still be
sent
to subdomains such as
bar.foo.example.com
though).
See
Invalid domains
for more details.
The
Path
attribute indicates a URL path that must exist in the requested URL in order to send the
Cookie
header. For example:
http
Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly; Path=/docs
The
%x2F
("/") character is considered a directory separator, and subdirectories match as well. For example, if you set
Path=/docs
, these request paths match:
/docs
/docs/
/docs/Web/
/docs/Web/HTTP
But these request paths don't:
/
/docsets
/fr/docs
Note:
The
path
attribute lets you control what cookies the browser sends based on the different parts of a site.
It is not intended as a security measure, and
does not protect
against unauthorized reading of the cookie from a different path.
Controlling third-party cookies with
SameSite
The
SameSite
attribute lets servers specify whether/when cookies are sent with cross-site requests — i.e.,
third-party cookies
. Cross-site requests are requests where the
site
(the registrable domain) and/or the scheme (http or https) do not match the site the user is currently visiting. This includes requests sent when links are clicked on other sites to navigate to your site, and any request sent by embedded third-party content.
SameSite
helps to prevent leakage of information, preserving user
privacy
and providing some protection against
cross-site request forgery
attacks. It takes three possible values:
Strict
,
Lax
, and
None
:
Strict
causes the browser to only send the cookie in response to requests originating from the cookie's origin site. This should be used when you have cookies relating to functionality that will always be behind an initial navigation, such as authentication or storing shopping cart information.
http
Set-Cookie: cart=110045_77895_53420; SameSite=Strict
Note:
Cookies that are used for sensitive information should also have a short
lifetime
.
Lax
is similar, except the browser also sends the cookie when the user
navigates
to the cookie's origin site (even if the user is coming from a different site). This is useful for cookies affecting the display of a site — for example you might have partner product information along with an affiliate link on your website. When that link is followed to the partner website, they might want to set a cookie stating that the affiliate link was followed, which displays a reward banner and provides a discount if the product is purchased.
http
Set-Cookie: affiliate=e4rt45dw; SameSite=Lax
None
specifies that cookies are sent on both originating and cross-site requests. This is useful if you want to send cookies along with requests made from third-party content embedded in other sites, for example, ad-tech or analytics providers. Note that if
SameSite=None
is set then the
Secure
attribute must also be set —
SameSite=None
requires a
secure context
.
http
Set-Cookie: widget_session=7yjgj57e4n3d; SameSite=None; Secure; HttpOnly
If no
SameSite
attribute is set, the cookie is treated as
Lax
by default.
Cookie prefixes
Because of the design of the cookie mechanism, a server can't confirm that a cookie was set from a secure origin or even tell
where
a cookie was originally set.
An application on a subdomain can set a cookie with the
Domain
attribute, which gives access to that cookie on all other subdomains. This mechanism can be abused in a
session fixation
attack.
As a
defense-in-depth measure
, you can use
cookie prefixes
to impose specific restrictions on a cookie's attributes in supporting user-agents. All cookie prefixes start with a double-underscore (
__
) and end in a dash (
-
). Four prefixes are available:
__Secure-
: Cookies with names starting with
__Secure-
must be set with the
Secure
attribute by a secure page (HTTPS).
__Host-
: Cookies with names starting with
__Host-
must be set with the
Secure
attribute by a secure page (HTTPS). In addition, they must not have a
Domain
attribute specified, and the
Path
attribute must be set to
/
. This guarantees that such cookies are only sent to the host that set them, and not to any other host on the domain. It also guarantees that they are set host-wide and cannot be overridden on any path on that host. This combination yields a cookie that is as close as can be to treating the origin as a security boundary.
__Http-
: Cookies with names starting with
__Http-
must be set with the
Secure
flag by a secure page (HTTPS) and in addition must have the
HttpOnly
attribute set to prove that they were set via the
Set-Cookie
header (they can't be set or modified via JavaScript features such as
Document.cookie
or the
Cookie Store API
).
__Host-Http-
: Cookies with names starting with
__Host-Http-
must be set with the
Secure
flag by a secure page (HTTPS) and must have the
HttpOnly
attribute set to prove that they were set via the
Set-Cookie
header. In addition, they also have the same restrictions as
__Host-
-prefixed cookies. This combination yields a cookie that is as close as can be to treating the origin as a security boundary while at the same time ensuring developers and server operators know that its scope is limited to HTTP requests.
The browser will reject cookies with these prefixes that don't comply with their restrictions. As the application server only checks for a specific cookie name when determining if the user is authenticated or a CSRF token is correct, this effectively acts as a defense measure against
session fixation
.
Note:
On the server, the web application
must
check for the full cookie name including the prefix. User agents
do not
strip the prefix from the cookie before sending it in a request's
Cookie
header.
For more information about cookie prefixes and the current state of browser support, see the
Prefixes section of the Set-Cookie reference article
.
Privacy and tracking
Earlier on we talked about how the
SameSite
attribute can be used to control when third-party cookies are sent, and that this can help preserve user privacy. Privacy is a very important consideration when building websites which, when done right, can build trust with your users. If done badly, it can completely erode that trust and cause all kinds of other problems.
Third-party cookies can be set by third-party content embedded in sites via
<iframe>
s. They have many legitimate uses include sharing user profile information, counting ad impressions, or collecting analytics across different related domains.
However, third-party cookies can also be used to create creepy, invasive user experiences. A third-party server can create a profile of a user's browsing history and habits based on cookies sent to it by the same browser when accessing multiple sites. The classic example is when you search for product information on one site and are then chased around the web by adverts for similar products wherever you go.
Browser vendors know that users don't like this behavior, and as a result have all started to block third-party cookies by default, or at least made plans to go in that direction. Third-party cookies (or just tracking cookies) may also be blocked by other browser settings or extensions.
Note:
Cookie blocking can cause some third-party components (such as social media widgets) not to function as intended. As browsers impose further restrictions on third-party cookies, developers should start to look at ways to reduce their reliance on them.
See our
Third-party cookies
article for detailed information on third-party cookies, the issues associated with them, and what alternatives are available. See our
Privacy
landing page for more information on privacy in general.
Legislation or regulations that cover the use of cookies include:
The
General Data Privacy Regulation
(GDPR) in the European Union
The ePrivacy Directive in the EU
The California Consumer Privacy Act
These regulations have global reach. They apply to any site on the
World Wide
Web that users from these jurisdictions access (the EU and California, with the caveat that California's law applies only to entities with gross revenue over 25 million USD, among things).
These regulations include requirements such as:
Notifying users that your site uses cookies.
Allowing users to opt out of receiving some or all cookies.
Allowing users to use the bulk of your service without receiving cookies.
There may be other regulations that govern the use of cookies in your locality. The burden is on you to know and comply with these regulations. There are companies that offer "cookie banner" code that helps you comply with these regulations.
See also
Related HTTP headers:
Set-Cookie
,
Cookie
Related JavaScript APIs:
Document.cookie
,
Navigator.cookieEnabled
,
Cookie Store API
Third-party cookies
Cookie specification: RFC 6265
Cookies, the GDPR, and the ePrivacy Directive |
| Markdown | - [Skip to main content](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#content)
- [Skip to search](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#search)
HTML
[HTML: Markup language](https://developer.mozilla.org/en-US/docs/Web/HTML)
HTML reference
- [Elements](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements)
- [Global attributes](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Global_attributes)
- [Attributes](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Attributes)
- [See all…](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference "See all HTML references")
HTML guides
- [Responsive images](https://developer.mozilla.org/en-US/docs/Web/HTML/Guides/Responsive_images)
- [HTML cheatsheet](https://developer.mozilla.org/en-US/docs/Web/HTML/Guides/Cheatsheet)
- [Date & time formats](https://developer.mozilla.org/en-US/docs/Web/HTML/Guides/Date_and_time_formats)
- [See all…](https://developer.mozilla.org/en-US/docs/Web/HTML/Guides "See all HTML guides")
Markup languages
- [SVG](https://developer.mozilla.org/en-US/docs/Web/SVG)
- [MathML](https://developer.mozilla.org/en-US/docs/Web/MathML)
- [XML](https://developer.mozilla.org/en-US/docs/Web/XML)
CSS
[CSS: Styling language](https://developer.mozilla.org/en-US/docs/Web/CSS)
CSS reference
- [Properties](https://developer.mozilla.org/en-US/docs/Web/CSS/Reference/Properties)
- [Selectors](https://developer.mozilla.org/en-US/docs/Web/CSS/Reference/Selectors)
- [At-rules](https://developer.mozilla.org/en-US/docs/Web/CSS/Reference/At-rules)
- [Values](https://developer.mozilla.org/en-US/docs/Web/CSS/Reference/Values)
- [See all…](https://developer.mozilla.org/en-US/docs/Web/CSS/Reference "See all CSS references")
CSS guides
- [Box model](https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Box_model/Introduction)
- [Animations](https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Animations/Using)
- [Flexbox](https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Flexible_box_layout/Basic_concepts)
- [Colors](https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Colors/Applying_color)
- [See all…](https://developer.mozilla.org/en-US/docs/Web/CSS/Guides "See all CSS guides")
Layout cookbook
- [Column layouts](https://developer.mozilla.org/en-US/docs/Web/CSS/How_to/Layout_cookbook/Column_layouts)
- [Centering an element](https://developer.mozilla.org/en-US/docs/Web/CSS/How_to/Layout_cookbook/Center_an_element)
- [Card component](https://developer.mozilla.org/en-US/docs/Web/CSS/How_to/Layout_cookbook/Card)
- [See all…](https://developer.mozilla.org/en-US/docs/Web/CSS/How_to/Layout_cookbook)
JavaScriptJS
[JavaScript: Scripting language](https://developer.mozilla.org/en-US/docs/Web/JavaScript)
JS reference
- [Standard built-in objects](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects)
- [Expressions & operators](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators)
- [Statements & declarations](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements)
- [Functions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions)
- [See all…](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference "See all JavaScript references")
JS guides
- [Control flow & error handing](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Control_flow_and_error_handling)
- [Loops and iteration](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Loops_and_iteration)
- [Working with objects](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Working_with_objects)
- [Using classes](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Using_classes)
- [See all…](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide "See all JavaScript guides")
Web APIs
[Web APIs: Programming interfaces](https://developer.mozilla.org/en-US/docs/Web/API)
Web API reference
- [File system API](https://developer.mozilla.org/en-US/docs/Web/API/File_System_API)
- [Fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API)
- [Geolocation API](https://developer.mozilla.org/en-US/docs/Web/API/Geolocation_API)
- [HTML DOM API](https://developer.mozilla.org/en-US/docs/Web/API/HTML_DOM_API)
- [Push API](https://developer.mozilla.org/en-US/docs/Web/API/Push_API)
- [Service worker API](https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API)
- [See all…](https://developer.mozilla.org/en-US/docs/Web/API "See all Web API guides")
Web API guides
- [Using the Web animation API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Animations_API/Using_the_Web_Animations_API)
- [Using the Fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch)
- [Working with the History API](https://developer.mozilla.org/en-US/docs/Web/API/History_API/Working_with_the_History_API)
- [Using the Web speech API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Speech_API/Using_the_Web_Speech_API)
- [Using web workers](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers)
All
[All web technology](https://developer.mozilla.org/en-US/docs/Web)
Technologies
- [Accessibility](https://developer.mozilla.org/en-US/docs/Web/Accessibility)
- [HTTP](https://developer.mozilla.org/en-US/docs/Web/HTTP)
- [URI](https://developer.mozilla.org/en-US/docs/Web/URI)
- [Web extensions](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions)
- [WebAssembly](https://developer.mozilla.org/en-US/docs/WebAssembly)
- [WebDriver](https://developer.mozilla.org/en-US/docs/Web/WebDriver)
- [See all…](https://developer.mozilla.org/en-US/docs/Web "See all web technology references")
Topics
- [Media](https://developer.mozilla.org/en-US/docs/Web/Media)
- [Performance](https://developer.mozilla.org/en-US/docs/Web/Performance)
- [Privacy](https://developer.mozilla.org/en-US/docs/Web/Privacy)
- [Security](https://developer.mozilla.org/en-US/docs/Web/Security)
- [Progressive web apps](https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps)
Learn
[Learn web development](https://developer.mozilla.org/en-US/docs/Learn_web_development)
Frontend developer course
- [Getting started modules](https://developer.mozilla.org/en-US/docs/Learn_web_development/Getting_started)
- [Core modules](https://developer.mozilla.org/en-US/docs/Learn_web_development/Core)
- [MDN Curriculum](https://developer.mozilla.org/en-US/curriculum/)
- [Check out the video course from Scrimba, our partner](https://scrimba.com/frontend-path-c0j?via=mdn-learn-navbar)
Learn HTML
- [Structuring content with HTML module](https://developer.mozilla.org/en-US/docs/Learn_web_development/Core/Structuring_content)
Learn CSS
- [CSS styling basics module](https://developer.mozilla.org/en-US/docs/Learn_web_development/Core/Styling_basics)
- [CSS layout module](https://developer.mozilla.org/en-US/docs/Learn_web_development/Core/CSS_layout)
Learn JavaScript
- [Dynamic scripting with JavaScript module](https://developer.mozilla.org/en-US/docs/Learn_web_development/Core/Scripting)
Tools
Discover our tools
- [Playground](https://developer.mozilla.org/en-US/play)
- [HTTP Observatory](https://developer.mozilla.org/en-US/observatory)
- [Border-image generator](https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Backgrounds_and_borders/Border-image_generator)
- [Border-radius generator](https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Backgrounds_and_borders/Border-radius_generator)
- [Box-shadow generator](https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Backgrounds_and_borders/Box-shadow_generator)
- [Color format converter](https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Colors/Color_format_converter)
- [Color mixer](https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Colors/Color_mixer)
- [Shape generator](https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Shapes/Shape_generator)
About
Get to know MDN better
- [About MDN](https://developer.mozilla.org/en-US/about)
- [Advertise with us](https://developer.mozilla.org/en-US/advertising)
- [Community](https://developer.mozilla.org/en-US/community)
- [MDN on GitHub](https://github.com/mdn)
[Blog](https://developer.mozilla.org/en-US/blog/)
1. [Web](https://developer.mozilla.org/en-US/docs/Web)
2. [HTTP](https://developer.mozilla.org/en-US/docs/Web/HTTP)
3. [Guides](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides)
4. [Using HTTP cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies)
# Using HTTP cookies
A **cookie** (also known as a web cookie or browser cookie) is a small piece of data a server sends to a user's web browser. The browser may store cookies, create new cookies, modify existing ones, and send them back to the same server with later requests. Cookies enable web applications to store limited amounts of data and remember state information; by default the HTTP protocol is [stateless](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Overview#http_is_stateless_but_not_sessionless).
In this article we will explore the main uses of cookies, explain best practices for using them, and look at their privacy and security implications.
## In this article
- [What cookies are used for](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#what_cookies_are_used_for)
- [Creating, removing, and updating cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#creating_removing_and_updating_cookies)
- [Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#security)
- [Privacy and tracking](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#privacy_and_tracking)
- [Cookie-related regulations](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie-related_regulations)
- [See also](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#see_also)
## [What cookies are used for](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#what_cookies_are_used_for)
Typically, the server will use the contents of HTTP cookies to determine whether different requests come from the same browser/user and then issue a personalized or generic response as appropriate. The following describes a basic user sign-in system:
1. The user sends sign-in credentials to the server, for example via a form submission.
2. If the credentials are correct, the server updates the UI to indicate that the user is signed in, and responds with a cookie containing a session ID that records their sign-in status on the browser.
3. At a later time, the user moves to a different page on the same site. The browser sends the cookie containing the session ID along with the corresponding request to indicate that it still thinks the user is signed in.
4. The server checks the session ID and, if it is still valid, sends the user a personalized version of the new page. If it is not valid, the session ID is deleted and the user is shown a generic version of the page (or perhaps shown an "access denied" message and asked to sign in again).
Cookies are mainly used for three purposes:
- **Session management**: User sign-in status, shopping cart contents, game scores, or any other user session-related details that the server needs to remember.
- **Personalization**: User preferences such as display language and UI theme.
- **Tracking**: Recording and analyzing user behavior.
### [Data storage](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#data_storage)
In the early days of the web when there was no other option, cookies were used for general client-side data storage purposes. Modern storage APIs are now recommended, for example the [Web Storage API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API) (`localStorage` and `sessionStorage`) and [IndexedDB](https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API).
They are designed with storage in mind, never send data to the server, and don't come with other drawbacks of using cookies for storage:
- Browsers are generally limited to a maximum number of cookies per domain (varies by browser, generally in the hundreds), and a maximum size per cookie (usually 4KB). Storage APIs can store larger amounts of data.
- Cookies are sent with every request, so they can worsen performance (for example on slow mobile data connections), especially if you have a lot of cookies set.
**Note:** To see stored cookies (and other storage that a web page is using) you can use the [Storage Inspector](https://firefox-source-docs.mozilla.org/devtools-user/storage_inspector/index.html) in Firefox Developer Tools, or the [Application panel](https://developer.chrome.com/docs/devtools/progressive-web-apps) in Chrome Developer Tools.
## [Creating, removing, and updating cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#creating_removing_and_updating_cookies)
After receiving an HTTP request, a server can send one or more [`Set-Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie) headers with the response, each one of which will set a separate cookie. A cookie is set by specifying a name-value pair like this:
http
```
Set-Cookie: <cookie-name>=<cookie-value>
```
The following HTTP response instructs the receiving browser to store a pair of cookies:
http
```
HTTP/2.0 200 OK
Content-Type: text/html
Set-Cookie: yummy_cookie=chocolate
Set-Cookie: tasty_cookie=strawberry
[page content]
```
**Note:** Find out how to use the `Set-Cookie` header in various server-side languages/frameworks: [PHP](https://www.php.net/manual/en/function.setcookie.php), [Node.js](https://nodejs.org/docs/latest-v19.x/api/http.html#responsesetheadername-value), [Python](https://docs.python.org/3/library/http.cookies.html), [Ruby on Rails](https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html).
When a new request is made, the browser usually sends previously stored cookies for the current domain back to the server within a [`Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cookie) HTTP header:
http
```
GET /sample_page.html HTTP/2.0
Host: www.example.org
Cookie: yummy_cookie=chocolate; tasty_cookie=strawberry
```
### [Removal: defining the lifetime of a cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#removal_defining_the_lifetime_of_a_cookie)
You can specify an expiration date or time period after which the cookie should be deleted and no longer sent. Depending on the attributes set within the [`Set-Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie) header when the cookies are created, they can be either *permanent* or *session* cookies:
- Permanent cookies are deleted after the date specified in the `Expires` attribute:
http
```
Set-Cookie: id=a3fWa; Expires=Thu, 31 Oct 2021 07:28:00 GMT;
```
or after the period specified in the `Max-Age` attribute:
http
```
Set-Cookie: id=a3fWa; Max-Age=2592000
```
**Note:** `Expires` has been available for longer than `Max-Age`, however `Max-Age` is less error-prone, and takes precedence when both are set. The rationale behind this is that when you set an `Expires` date and time, they're relative to the client the cookie is being set on. If the server is set to a different time, this could cause errors.
- *Session* cookies — cookies without a `Max-Age` or `Expires` attribute – are deleted when the current session ends. The browser defines when the "current session" ends, and some browsers use *session restoring* when restarting. This can cause session cookies to last indefinitely.
**Note:** If your site authenticates users, it should regenerate and resend session cookies, even ones that already exist, whenever a user authenticates. This approach helps prevent [session fixation](https://owasp.org/www-community/attacks/Session_fixation) attacks, where a third-party can reuse a user's session.
To immediately remove a cookie, set the cookie again with the same name, path, and domain (if specified), and set its `Expires` attribute to a date in the past or its `Max-Age` attribute to `0` or negative. This instructs the browser to delete the cookie right away. For example:
http
```
Set-Cookie: id=a3fWa; Max-Age=0
```
You can also clear all cookies associated with a registrable domain using the [`Clear-Site-Data`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Clear-Site-Data) response header. For example, the following header sent from `https://foo.example.com/` would clear all cookies sent by `example.com` and all of its subdomains, such as `all.bar.example.com`.
http
```
Clear-Site-Data: "cookies"
```
There are some techniques designed to recreate cookies after they're deleted. These are known as "zombie" cookies. These techniques violate the principles of user [privacy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#privacy_and_tracking) and control, may violate [data privacy regulations](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie-related_regulations), and could expose a website using them to legal liability.
### [Updating cookie values](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#updating_cookie_values)
To update a cookie via HTTP, the server can send a [`Set-Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie) header with the existing cookie's name and a new value. For example:
http
```
Set-Cookie: id=new-value
```
There are several reasons why you might want to do this, for example if a user has updated their preferences and the application wants to reflect the changes in client-side data (you could also do this with a client-side storage mechanism such as [Web Storage](https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API)).
#### Updating cookies via JavaScript
In the browser, you can create new cookies via JavaScript using the [`Document.cookie`](https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie) property, or the asynchronous [Cookie Store API](https://developer.mozilla.org/en-US/docs/Web/API/Cookie_Store_API "Cookie Store API"). Note that all examples below use `Document.cookie`, as it is the most widely supported/established option.
js
```
document.cookie = "yummy_cookie=chocolate";
document.cookie = "tasty_cookie=strawberry";
```
You can also access existing cookies and set new values for them:
js
```
console.log(document.cookie);
// logs "yummy_cookie=chocolate; tasty_cookie=strawberry"
document.cookie = "yummy_cookie=blueberry";
console.log(document.cookie);
// logs "tasty_cookie=strawberry; yummy_cookie=blueberry"
```
For security purposes, you can't change cookie values by sending an updated `Cookie` header directly when initiating a request, for example, via [`fetch()`](https://developer.mozilla.org/en-US/docs/Web/API/Window/fetch "fetch()") or [`XMLHttpRequest`](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest).
There are good reasons why you shouldn't allow JavaScript to modify cookies at all. You can prevent JavaScript from accessing a cookie by specifying the [`HttpOnly`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#httponly) attribute during its creation. See the [Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#security) section for more details.
## [Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#security)
When you store information in cookies, by default all cookie values are visible to, and can be changed by, the end user. You really don't want your cookies to be misused — for example accessed/modified by bad actors, or sent to domains where they shouldn't be sent. The potential consequences can range from annoying — apps not working or exhibiting strange behavior — to catastrophic. A criminal could for example steal a session ID and use it to set a cookie that makes it look like they are logged in as someone else, taking control of their bank or e-commerce account in the process.
You can secure your cookies in a variety of ways, which are reviewed in this section.
### [Block access to your cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies)
You can ensure that cookies are sent securely and aren't accessed by unintended parties or scripts in one of two ways: with the `Secure` attribute and the `HttpOnly` attribute:
http
```
Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly
```
- A cookie with the `Secure` attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost), which means [man-in-the-middle](https://developer.mozilla.org/en-US/docs/Glossary/MitM) attackers can't access it easily. Insecure sites (with `http:` in the URL) can't set cookies with the `Secure` attribute. However, don't assume that `Secure` prevents all access to sensitive information in cookies. For example, someone with access to the client's hard disk (or JavaScript if the `HttpOnly` attribute isn't set) can read and modify the information.
- A cookie with the `HttpOnly` attribute can't be accessed by JavaScript, for example using [`Document.cookie`](https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie); it can only be accessed when it reaches the server. Cookies that persist user sessions for example should have the `HttpOnly` attribute set — it would be really insecure to make them available to JavaScript. This precaution helps mitigate cross-site scripting ([XSS](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/XSS)) attacks.
**Note:** Depending on the application, you may want to use an opaque identifier that the server looks up rather than storing sensitive information directly in cookies, or investigate alternative authentication/confidentiality mechanisms such as [JSON Web Tokens](https://www.jwt.io/).
### [Define where cookies are sent](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#define_where_cookies_are_sent)
The `Domain` and `Path` attributes define the *scope* of a cookie: what URLs the cookies are sent to.
- The `Domain` attribute specifies which server can receive a cookie. If specified, cookies are available on the specified server and its subdomains. For example, if you set `Domain=mozilla.org` from `mozilla.org`, cookies are available on that domain and subdomains like `developer.mozilla.org`.
http
```
Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly; Domain=mozilla.org
```
If the `Set-Cookie` header does not specify a `Domain` attribute, the cookies are available on the server that sets it *but not on its subdomains*. Therefore, specifying `Domain` is less restrictive than omitting it. Note that a server can only set the `Domain` attribute to its own domain or a parent domain, not to a subdomain or some other domain. So, for example, a server with domain `foo.example.com` could set the attribute to `example.com` or `foo.example.com`, but not `bar.foo.example.com` or `elsewhere.com` (the cookies would still be *sent* to subdomains such as `bar.foo.example.com` though). See [Invalid domains](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#invalid_domains) for more details.
- The `Path` attribute indicates a URL path that must exist in the requested URL in order to send the `Cookie` header. For example:
http
```
Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly; Path=/docs
```
The `%x2F` ("/") character is considered a directory separator, and subdirectories match as well. For example, if you set `Path=/docs`, these request paths match:
- `/docs`
- `/docs/`
- `/docs/Web/`
- `/docs/Web/HTTP`
But these request paths don't:
- `/`
- `/docsets`
- `/fr/docs`
**Note:** The `path` attribute lets you control what cookies the browser sends based on the different parts of a site. It is not intended as a security measure, and [does not protect](https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie#security) against unauthorized reading of the cookie from a different path.
### [Controlling third-party cookies with `SameSite`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#controlling_third-party_cookies_with_samesite)
The [`SameSite`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value) attribute lets servers specify whether/when cookies are sent with cross-site requests — i.e., [third-party cookies](https://developer.mozilla.org/en-US/docs/Web/Privacy/Guides/Third-party_cookies). Cross-site requests are requests where the [site](https://developer.mozilla.org/en-US/docs/Glossary/Site) (the registrable domain) and/or the scheme (http or https) do not match the site the user is currently visiting. This includes requests sent when links are clicked on other sites to navigate to your site, and any request sent by embedded third-party content.
`SameSite` helps to prevent leakage of information, preserving user [privacy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#privacy_and_tracking) and providing some protection against [cross-site request forgery](https://developer.mozilla.org/en-US/docs/Glossary/CSRF) attacks. It takes three possible values: `Strict`, `Lax`, and `None`:
- `Strict` causes the browser to only send the cookie in response to requests originating from the cookie's origin site. This should be used when you have cookies relating to functionality that will always be behind an initial navigation, such as authentication or storing shopping cart information.
http
```
Set-Cookie: cart=110045_77895_53420; SameSite=Strict
```
**Note:** Cookies that are used for sensitive information should also have a short [lifetime](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#removal_defining_the_lifetime_of_a_cookie).
- `Lax` is similar, except the browser also sends the cookie when the user *navigates* to the cookie's origin site (even if the user is coming from a different site). This is useful for cookies affecting the display of a site — for example you might have partner product information along with an affiliate link on your website. When that link is followed to the partner website, they might want to set a cookie stating that the affiliate link was followed, which displays a reward banner and provides a discount if the product is purchased.
http
```
Set-Cookie: affiliate=e4rt45dw; SameSite=Lax
```
- `None` specifies that cookies are sent on both originating and cross-site requests. This is useful if you want to send cookies along with requests made from third-party content embedded in other sites, for example, ad-tech or analytics providers. Note that if `SameSite=None` is set then the `Secure` attribute must also be set — `SameSite=None` requires a *secure context*.
http
```
Set-Cookie: widget_session=7yjgj57e4n3d; SameSite=None; Secure; HttpOnly
```
If no `SameSite` attribute is set, the cookie is treated as `Lax` by default.
### [Cookie prefixes](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie_prefixes)
Because of the design of the cookie mechanism, a server can't confirm that a cookie was set from a secure origin or even tell *where* a cookie was originally set.
An application on a subdomain can set a cookie with the `Domain` attribute, which gives access to that cookie on all other subdomains. This mechanism can be abused in a [session fixation](https://owasp.org/www-community/attacks/Session_fixation) attack.
As a [defense-in-depth measure](https://en.wikipedia.org/wiki/Defense_in_depth_\(computing\)), you can use *cookie prefixes* to impose specific restrictions on a cookie's attributes in supporting user-agents. All cookie prefixes start with a double-underscore (`__`) and end in a dash (`-`). Four prefixes are available:
- **`__Secure-`**: Cookies with names starting with `__Secure-` must be set with the `Secure` attribute by a secure page (HTTPS).
- **`__Host-`**: Cookies with names starting with `__Host-` must be set with the `Secure` attribute by a secure page (HTTPS). In addition, they must not have a `Domain` attribute specified, and the `Path` attribute must be set to `/`. This guarantees that such cookies are only sent to the host that set them, and not to any other host on the domain. It also guarantees that they are set host-wide and cannot be overridden on any path on that host. This combination yields a cookie that is as close as can be to treating the origin as a security boundary.
- **`__Http-`**: Cookies with names starting with `__Http-` must be set with the `Secure` flag by a secure page (HTTPS) and in addition must have the `HttpOnly` attribute set to prove that they were set via the `Set-Cookie` header (they can't be set or modified via JavaScript features such as [`Document.cookie`](https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie) or the [Cookie Store API](https://developer.mozilla.org/en-US/docs/Web/API/Cookie_Store_API)).
- **`__Host-Http-`**: Cookies with names starting with `__Host-Http-` must be set with the `Secure` flag by a secure page (HTTPS) and must have the `HttpOnly` attribute set to prove that they were set via the `Set-Cookie` header. In addition, they also have the same restrictions as `__Host-`\-prefixed cookies. This combination yields a cookie that is as close as can be to treating the origin as a security boundary while at the same time ensuring developers and server operators know that its scope is limited to HTTP requests.
The browser will reject cookies with these prefixes that don't comply with their restrictions. As the application server only checks for a specific cookie name when determining if the user is authenticated or a CSRF token is correct, this effectively acts as a defense measure against [session fixation](https://owasp.org/www-community/attacks/Session_fixation).
**Note:** On the server, the web application *must* check for the full cookie name including the prefix. User agents *do not* strip the prefix from the cookie before sending it in a request's [`Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cookie) header.
For more information about cookie prefixes and the current state of browser support, see the [Prefixes section of the Set-Cookie reference article](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#cookie_prefixes).
## [Privacy and tracking](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#privacy_and_tracking)
Earlier on we talked about how the `SameSite` attribute can be used to control when third-party cookies are sent, and that this can help preserve user privacy. Privacy is a very important consideration when building websites which, when done right, can build trust with your users. If done badly, it can completely erode that trust and cause all kinds of other problems.
Third-party cookies can be set by third-party content embedded in sites via [`<iframe>`](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/iframe)s. They have many legitimate uses include sharing user profile information, counting ad impressions, or collecting analytics across different related domains.
However, third-party cookies can also be used to create creepy, invasive user experiences. A third-party server can create a profile of a user's browsing history and habits based on cookies sent to it by the same browser when accessing multiple sites. The classic example is when you search for product information on one site and are then chased around the web by adverts for similar products wherever you go.
Browser vendors know that users don't like this behavior, and as a result have all started to block third-party cookies by default, or at least made plans to go in that direction. Third-party cookies (or just tracking cookies) may also be blocked by other browser settings or extensions.
**Note:** Cookie blocking can cause some third-party components (such as social media widgets) not to function as intended. As browsers impose further restrictions on third-party cookies, developers should start to look at ways to reduce their reliance on them.
See our [Third-party cookies](https://developer.mozilla.org/en-US/docs/Web/Privacy/Guides/Third-party_cookies) article for detailed information on third-party cookies, the issues associated with them, and what alternatives are available. See our [Privacy](https://developer.mozilla.org/en-US/docs/Web/Privacy) landing page for more information on privacy in general.
## [Cookie-related regulations](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie-related_regulations)
Legislation or regulations that cover the use of cookies include:
- The [General Data Privacy Regulation](https://gdpr.eu/) (GDPR) in the European Union
- The ePrivacy Directive in the EU
- The California Consumer Privacy Act
These regulations have global reach. They apply to any site on the *World Wide* Web that users from these jurisdictions access (the EU and California, with the caveat that California's law applies only to entities with gross revenue over 25 million USD, among things).
These regulations include requirements such as:
- Notifying users that your site uses cookies.
- Allowing users to opt out of receiving some or all cookies.
- Allowing users to use the bulk of your service without receiving cookies.
There may be other regulations that govern the use of cookies in your locality. The burden is on you to know and comply with these regulations. There are companies that offer "cookie banner" code that helps you comply with these regulations.
**Note:** Companies should disclose the types of cookies they use on their sites for transparency purposes and to comply with regulations. For example, see [Google's notice on the types of cookies it uses](https://policies.google.com/technologies/cookies#types-of-cookies) and Mozilla's [Websites, Communications & Cookies Privacy Notice](https://www.mozilla.org/en-US/privacy/websites/#cookies).
## [See also](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#see_also)
- Related HTTP headers: [`Set-Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie), [`Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cookie)
- Related JavaScript APIs: [`Document.cookie`](https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie), [`Navigator.cookieEnabled`](https://developer.mozilla.org/en-US/docs/Web/API/Navigator/cookieEnabled), [Cookie Store API](https://developer.mozilla.org/en-US/docs/Web/API/Cookie_Store_API "Cookie Store API")
- [Third-party cookies](https://developer.mozilla.org/en-US/docs/Web/Privacy/Guides/Third-party_cookies)
- [Cookie specification: RFC 6265](https://datatracker.ietf.org/doc/html/rfc6265)
- [Cookies, the GDPR, and the ePrivacy Directive](https://gdpr.eu/cookies/)
## Help improve MDN
[Learn how to contribute](https://developer.mozilla.org/en-US/docs/MDN/Community/Getting_started)
This page was last modified on Oct 8, 2025 by [MDN contributors](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies/contributors.txt).
[View this page on GitHub](https://github.com/mdn/content/blob/main/files/en-us/web/http/guides/cookies/index.md?plain=1 "Folder: en-us/web/http/guides/cookies (Opens in a new tab)") • [Report a problem with this content](https://github.com/mdn/content/issues/new?template=page-report.yml&mdn-url=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FGuides%2FCookies&metadata=%3C%21--+Do+not+make+changes+below+this+line+--%3E%0A%3Cdetails%3E%0A%3Csummary%3EPage+report+details%3C%2Fsummary%3E%0A%0A*+Folder%3A+%60en-us%2Fweb%2Fhttp%2Fguides%2Fcookies%60%0A*+MDN+URL%3A+https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FGuides%2FCookies%0A*+GitHub+URL%3A+https%3A%2F%2Fgithub.com%2Fmdn%2Fcontent%2Fblob%2Fmain%2Ffiles%2Fen-us%2Fweb%2Fhttp%2Fguides%2Fcookies%2Findex.md%0A*+Last+commit%3A+https%3A%2F%2Fgithub.com%2Fmdn%2Fcontent%2Fcommit%2Fcd0ac3ad401c47d7c854d2e30d65af5934a8f657%0A*+Document+last+modified%3A+2025-10-08T04%3A15%3A27.000Z%0A%0A%3C%2Fdetails%3E "This will take you to GitHub to file a new issue.")
1. [HTTP](https://developer.mozilla.org/en-US/docs/Web/HTTP)
2. [Guides](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides)
3. [Overview of HTTP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Overview)
4. [Evolution of HTTP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Evolution_of_HTTP)
5. [A typical HTTP session](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Session)
6. [HTTP messages](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Messages)
7. [Media types](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/MIME_types)
1. [Common types](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/MIME_types/Common_types)
8. [Compression in HTTP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Compression)
9. [HTTP caching](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Caching)
10. [HTTP authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Authentication)
11. *[Using HTTP cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies)*
12. [Redirections in HTTP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Redirections)
13. [Conditional requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Conditional_requests)
14. [Range requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Range_requests)
15. [Client hints](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Client_hints)
16. [User-Agent reduction](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/User-agent_reduction)
17. [Compression Dictionary Transport](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Compression_dictionary_transport)
Experimental
18. [Network Error Logging](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Network_Error_Logging)
Experimental
19. [Content negotiation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Content_negotiation)
1. [Default Accept values](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Content_negotiation/List_of_default_Accept_values)
20. [Browser detection using the UA string](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Browser_detection_using_the_user_agent)
21. [Connection management in HTTP/1.x](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Connection_management_in_HTTP_1.x)
22. [Protocol upgrade mechanism](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Protocol_upgrade_mechanism)
23. [Proxy servers and tunneling](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Proxy_servers_and_tunneling)
1. [Proxy Auto-Configuration (PAC) file](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file)
24. Security and privacy
1. [HTTP Observatory](https://developer.mozilla.org/en-US/observatory)
2. [Practical implementation guides](https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides)
3. [Permissions Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Permissions_Policy)
Experimental
4. [Cross-Origin Resource Policy (CORP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy)
5. [IFrame credentialless](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/IFrame_credentialless)
Experimental
6. [Fetch metadata](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Fetch_metadata)
7. [Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS)
8. [CORS errors](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors)
1. [`Reason: CORS disabled`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSDisabled)
2. [`Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSAllowOriginNotMatchingOrigin)
3. [`Reason: CORS header 'Access-Control-Allow-Origin' missing`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSMissingAllowOrigin)
4. [`Reason: CORS header 'Origin' cannot be added`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSOriginHeaderNotAdded)
5. [`Reason: CORS preflight channel did not succeed`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSPreflightDidNotSucceed)
6. [`Reason: CORS request did not succeed`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSDidNotSucceed)
7. [`Reason: CORS request external redirect not allowed`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSExternalRedirectNotAllowed)
8. [`Reason: CORS request not HTTP`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSRequestNotHttp)
9. [`Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*'`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSNotSupportingCredentials)
10. [`Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSMethodNotFound)
11. [`Reason: expected 'true' in CORS header 'Access-Control-Allow-Credentials'`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSMIssingAllowCredentials)
12. [`Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSInvalidAllowHeader)
13. [`Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Methods'`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSInvalidAllowMethod)
14. [`Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSMissingAllowHeaderFromPreflight)
15. [`Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSMultipleAllowOriginNotAllowed)
9. [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP)
1. [Errors and warnings](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP/Errors)
25. [Reference](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference)
26. [HTTP headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers)
1. [`Accept`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Accept)
2. [`Accept-CH`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Accept-CH)
3. [`Accept-Encoding`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Accept-Encoding)
4. [`Accept-Language`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Accept-Language)
5. [`Accept-Patch`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Accept-Patch)
6. [`Accept-Post`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Accept-Post)
7. [`Accept-Ranges`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Accept-Ranges)
8. [`Access-Control-Allow-Credentials`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Credentials)
9. [`Access-Control-Allow-Headers`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Headers)
10. [`Access-Control-Allow-Methods`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Methods)
11. [`Access-Control-Allow-Origin`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Origin)
12. [`Access-Control-Expose-Headers`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Expose-Headers)
13. [`Access-Control-Max-Age`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Max-Age)
14. [`Access-Control-Request-Headers`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Request-Headers)
15. [`Access-Control-Request-Method`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Request-Method)
16. [`Activate-Storage-Access`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Activate-Storage-Access)
17. [`Age`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Age)
18. [`Allow`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Allow)
19. [`Alt-Svc`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Alt-Svc)
20. [`Alt-Used`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Alt-Used)
21. [`Attribution-Reporting-Eligible`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Attribution-Reporting-Eligible)
Deprecated
22. [`Attribution-Reporting-Register-Source`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Attribution-Reporting-Register-Source)
Deprecated
23. [`Attribution-Reporting-Register-Trigger`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Attribution-Reporting-Register-Trigger)
Deprecated
24. [`Authorization`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Authorization)
25. [`Available-Dictionary`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Available-Dictionary)
Experimental
26. [`Cache-Control`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cache-Control)
27. [`Clear-Site-Data`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Clear-Site-Data)
28. [`Connection`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Connection)
29. [`Content-Digest`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Digest)
30. [`Content-Disposition`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Disposition)
31. [`Content-DPR`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-DPR)
Non-standard
Deprecated
32. [`Content-Encoding`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Encoding)
33. [`Content-Language`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Language)
34. [`Content-Length`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Length)
35. [`Content-Location`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Location)
36. [`Content-Range`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Range)
37. [`Content-Security-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy)
38. [`Content-Security-Policy-Report-Only`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy-Report-Only)
39. [`Content-Type`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Type)
40. [`Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cookie)
41. [`Critical-CH`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Critical-CH)
Experimental
42. [`Cross-Origin-Embedder-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy)
43. [`Cross-Origin-Embedder-Policy-Report-Only`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy-Report-Only)
44. [`Cross-Origin-Opener-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy)
45. [`Cross-Origin-Resource-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Resource-Policy)
46. [`Date`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Date)
47. [`Device-Memory`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Device-Memory)
Non-standard
Deprecated
48. [`Dictionary-ID`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Dictionary-ID)
Experimental
49. [`DNT`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/DNT)
Non-standard
Deprecated
50. [`Downlink`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Downlink)
Experimental
51. [`DPR`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/DPR)
Non-standard
Deprecated
52. [`Early-Data`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Early-Data)
Experimental
53. [`ECT`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/ECT)
Experimental
54. [`ETag`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/ETag)
55. [`Expect`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Expect)
56. [`Expect-CT`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Expect-CT)
Deprecated
57. [`Expires`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Expires)
58. [`Forwarded`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Forwarded)
59. [`From`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/From)
60. [`Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Host)
61. [`Idempotency-Key`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Idempotency-Key)
Experimental
62. [`If-Match`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/If-Match)
63. [`If-Modified-Since`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/If-Modified-Since)
64. [`If-None-Match`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/If-None-Match)
65. [`If-Range`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/If-Range)
66. [`If-Unmodified-Since`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/If-Unmodified-Since)
67. [`Integrity-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Integrity-Policy)
68. [`Integrity-Policy-Report-Only`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Integrity-Policy-Report-Only)
69. [`Keep-Alive`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Keep-Alive)
70. [`Last-Modified`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Last-Modified)
71. [`Link`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Link)
72. [`Location`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Location)
73. [`Max-Forwards`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Max-Forwards)
74. [`NEL`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/NEL)
Experimental
75. [`No-Vary-Search`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/No-Vary-Search)
Experimental
76. [`Observe-Browsing-Topics`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Observe-Browsing-Topics)
Non-standard
Deprecated
77. [`Origin`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin)
78. [`Origin-Agent-Cluster`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin-Agent-Cluster)
79. [`Permissions-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy)
Experimental
80. [`Pragma`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Pragma)
Deprecated
81. [`Prefer`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Prefer)
82. [`Preference-Applied`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Preference-Applied)
83. [`Priority`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Priority)
84. [`Proxy-Authenticate`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Proxy-Authenticate)
85. [`Proxy-Authorization`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Proxy-Authorization)
86. [`Range`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Range)
87. [`Referer`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Referer)
88. [`Referrer-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Referrer-Policy)
89. [`Refresh`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Refresh)
90. [`Report-To`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Report-To)
Non-standard
Deprecated
91. [`Reporting-Endpoints`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Reporting-Endpoints)
92. [`Repr-Digest`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Repr-Digest)
93. [`Retry-After`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Retry-After)
94. [`RTT`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/RTT)
Experimental
95. [`Save-Data`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Save-Data)
Experimental
96. [`Sec-Browsing-Topics`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Browsing-Topics)
Non-standard
Deprecated
97. [`Sec-CH-Device-Memory`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-Device-Memory)
Experimental
98. [`Sec-CH-DPR`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-DPR)
Experimental
99. [`Sec-CH-Prefers-Color-Scheme`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-Prefers-Color-Scheme)
Experimental
100. [`Sec-CH-Prefers-Reduced-Motion`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-Prefers-Reduced-Motion)
Experimental
101. [`Sec-CH-Prefers-Reduced-Transparency`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-Prefers-Reduced-Transparency)
Experimental
102. [`Sec-CH-UA`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-UA)
Experimental
103. [`Sec-CH-UA-Arch`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-UA-Arch)
Experimental
104. [`Sec-CH-UA-Bitness`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-UA-Bitness)
Experimental
105. [`Sec-CH-UA-Form-Factors`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-UA-Form-Factors)
Experimental
106. [`Sec-CH-UA-Full-Version`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-UA-Full-Version)
Deprecated
107. [`Sec-CH-UA-Full-Version-List`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-UA-Full-Version-List)
Experimental
108. [`Sec-CH-UA-Mobile`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-UA-Mobile)
Experimental
109. [`Sec-CH-UA-Model`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-UA-Model)
Experimental
110. [`Sec-CH-UA-Platform`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-UA-Platform)
Experimental
111. [`Sec-CH-UA-Platform-Version`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-UA-Platform-Version)
Experimental
112. [`Sec-CH-UA-WoW64`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-UA-WoW64)
Experimental
113. [`Sec-CH-Viewport-Height`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-Viewport-Height)
Experimental
114. [`Sec-CH-Viewport-Width`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-Viewport-Width)
Experimental
115. [`Sec-CH-Width`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-Width)
Experimental
116. [`Sec-Fetch-Dest`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Dest)
117. [`Sec-Fetch-Mode`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Mode)
118. [`Sec-Fetch-Site`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Site)
119. [`Sec-Fetch-Storage-Access`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Storage-Access)
120. [`Sec-Fetch-User`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-User)
121. [`Sec-GPC`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-GPC)
Experimental
122. [`Sec-Private-State-Token`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Private-State-Token)
Experimental
123. [`Sec-Private-State-Token-Crypto-Version`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Private-State-Token-Crypto-Version)
Experimental
124. [`Sec-Private-State-Token-Lifetime`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Private-State-Token-Lifetime)
Experimental
125. [`Sec-Purpose`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Purpose)
126. [`Sec-Redemption-Record`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Redemption-Record)
Experimental
127. [`Sec-Speculation-Tags`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Speculation-Tags)
Experimental
128. [`Sec-WebSocket-Accept`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-WebSocket-Accept)
129. [`Sec-WebSocket-Extensions`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-WebSocket-Extensions)
130. [`Sec-WebSocket-Key`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-WebSocket-Key)
131. [`Sec-WebSocket-Protocol`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-WebSocket-Protocol)
132. [`Sec-WebSocket-Version`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-WebSocket-Version)
133. [`Server`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Server)
134. [`Server-Timing`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Server-Timing)
135. [`Service-Worker`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Service-Worker)
136. [`Service-Worker-Allowed`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Service-Worker-Allowed)
137. [`Service-Worker-Navigation-Preload`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Service-Worker-Navigation-Preload)
138. [`Set-Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie)
139. [`Set-Login`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Login)
140. [`SourceMap`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/SourceMap)
141. [`Speculation-Rules`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Speculation-Rules)
Experimental
142. [`Strict-Transport-Security`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security)
143. [`Supports-Loading-Mode`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Supports-Loading-Mode)
Experimental
144. [`TE`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/TE)
145. [`Timing-Allow-Origin`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Timing-Allow-Origin)
146. [`Tk`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Tk)
Non-standard
Deprecated
147. [`Trailer`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Trailer)
148. [`Transfer-Encoding`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Transfer-Encoding)
149. [`Upgrade`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Upgrade)
150. [`Upgrade-Insecure-Requests`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Upgrade-Insecure-Requests)
151. [`Use-As-Dictionary`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Use-As-Dictionary)
Experimental
152. [`User-Agent`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent)
153. [`Vary`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Vary)
154. [`Via`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Via)
155. [`Viewport-Width`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Viewport-Width)
Non-standard
Deprecated
156. [`Want-Content-Digest`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Want-Content-Digest)
157. [`Want-Repr-Digest`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Want-Repr-Digest)
158. [`Warning`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Warning)
Deprecated
159. [`Width`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Width)
Non-standard
Deprecated
160. [`WWW-Authenticate`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/WWW-Authenticate)
161. [`X-Content-Type-Options`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options)
162. [`X-DNS-Prefetch-Control`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-DNS-Prefetch-Control)
Non-standard
163. [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-For)
Non-standard
164. [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-Host)
Non-standard
165. [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-Proto)
Non-standard
166. [`X-Frame-Options`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options)
167. [`X-Permitted-Cross-Domain-Policies`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Permitted-Cross-Domain-Policies)
Non-standard
168. [`X-Powered-By`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Powered-By)
Non-standard
169. [`X-Robots-Tag`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Robots-Tag)
Non-standard
170. [`X-XSS-Protection`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-XSS-Protection)
Non-standard
Deprecated
27. [HTTP request methods](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods)
1. [`CONNECT`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/CONNECT)
2. [`DELETE`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/DELETE)
3. [`GET`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/GET)
4. [`HEAD`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/HEAD)
5. [`OPTIONS`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/OPTIONS)
6. [`PATCH`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/PATCH)
7. [`POST`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/POST)
8. [`PUT`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/PUT)
9. [`TRACE`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/TRACE)
28. [HTTP response status codes](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status)
1. [`100 Continue`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/100)
2. [`101 Switching Protocols`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/101)
3. [`102 Processing`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/102)
4. [`103 Early Hints`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/103)
5. [`200 OK`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/200)
6. [`201 Created`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/201)
7. [`202 Accepted`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/202)
8. [`203 Non-Authoritative Information`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/203)
9. [`204 No Content`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/204)
10. [`205 Reset Content`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/205)
11. [`206 Partial Content`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/206)
12. [`207 Multi-Status`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/207)
13. [`208 Already Reported`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/208)
14. [`226 IM Used`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/226)
15. [`300 Multiple Choices`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/300)
16. [`301 Moved Permanently`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/301)
17. [`302 Found`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/302)
18. [`303 See Other`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/303)
19. [`304 Not Modified`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/304)
20. [`307 Temporary Redirect`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/307)
21. [`308 Permanent Redirect`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/308)
22. [`400 Bad Request`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/400)
23. [`401 Unauthorized`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/401)
24. [`402 Payment Required`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/402)
25. [`403 Forbidden`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/403)
26. [`404 Not Found`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/404)
27. [`405 Method Not Allowed`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/405)
28. [`406 Not Acceptable`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/406)
29. [`407 Proxy Authentication Required`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/407)
30. [`408 Request Timeout`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/408)
31. [`409 Conflict`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/409)
32. [`410 Gone`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/410)
33. [`411 Length Required`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/411)
34. [`412 Precondition Failed`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/412)
35. [`413 Content Too Large`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/413)
36. [`414 URI Too Long`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/414)
37. [`415 Unsupported Media Type`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/415)
38. [`416 Range Not Satisfiable`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/416)
39. [`417 Expectation Failed`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/417)
40. [`418 I'm a teapot`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/418)
41. [`421 Misdirected Request`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/421)
42. [`422 Unprocessable Content`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/422)
43. [`423 Locked`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/423)
44. [`424 Failed Dependency`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/424)
45. [`425 Too Early`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/425)
46. [`426 Upgrade Required`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/426)
47. [`428 Precondition Required`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/428)
48. [`429 Too Many Requests`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/429)
49. [`431 Request Header Fields Too Large`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/431)
50. [`451 Unavailable For Legal Reasons`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/451)
51. [`500 Internal Server Error`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/500)
52. [`501 Not Implemented`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/501)
53. [`502 Bad Gateway`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/502)
54. [`503 Service Unavailable`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/503)
55. [`504 Gateway Timeout`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/504)
56. [`505 HTTP Version Not Supported`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/505)
57. [`506 Variant Also Negotiates`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/506)
58. [`507 Insufficient Storage`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/507)
59. [`508 Loop Detected`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/508)
60. [`510 Not Extended`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/510)
61. [`511 Network Authentication Required`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/511)
29. [CSP directives](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy#directives)
1. [`base-uri`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/base-uri)
2. [`block-all-mixed-content`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/block-all-mixed-content)
Deprecated
3. [`child-src`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/child-src)
4. [`connect-src`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/connect-src)
5. [`default-src`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/default-src)
6. [`fenced-frame-src`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/fenced-frame-src)
Experimental
7. [`font-src`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/font-src)
8. [`form-action`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/form-action)
9. [`frame-ancestors`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/frame-ancestors)
10. [`frame-src`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/frame-src)
11. [`img-src`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/img-src)
12. [`manifest-src`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/manifest-src)
13. [`media-src`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/media-src)
14. [`object-src`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/object-src)
15. [`prefetch-src`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/prefetch-src)
Non-standard
Deprecated
16. [`report-to`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/report-to)
17. [`report-uri`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/report-uri)
Deprecated
18. [`require-trusted-types-for`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/require-trusted-types-for)
19. [`sandbox`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/sandbox)
20. [`script-src`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src)
21. [`script-src-attr`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src-attr)
22. [`script-src-elem`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src-elem)
23. [`style-src`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/style-src)
24. [`style-src-attr`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/style-src-attr)
25. [`style-src-elem`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/style-src-elem)
26. [`trusted-types`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/trusted-types)
27. [`upgrade-insecure-requests`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/upgrade-insecure-requests)
28. [`worker-src`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/worker-src)
30. [Permissions-Policy directives](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy#directives)
Experimental
1. [`accelerometer`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/accelerometer)
Experimental
2. [`ambient-light-sensor`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/ambient-light-sensor)
Experimental
3. [`aria-notify`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/aria-notify)
Experimental
4. [`attribution-reporting`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/attribution-reporting)
Deprecated
5. [`autoplay`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/autoplay)
Experimental
6. [`bluetooth`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/bluetooth)
Experimental
7. [`browsing-topics`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/browsing-topics)
Non-standard
Deprecated
8. [`camera`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/camera)
Experimental
9. [`captured-surface-control`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/captured-surface-control)
Experimental
10. [`ch-ua-high-entropy-values`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/ch-ua-high-entropy-values)
Experimental
11. [`compute-pressure`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/compute-pressure)
Experimental
12. [`cross-origin-isolated`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/cross-origin-isolated)
Experimental
13. [`deferred-fetch`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/deferred-fetch)
Experimental
14. [`deferred-fetch-minimal`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/deferred-fetch-minimal)
Experimental
15. [`display-capture`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/display-capture)
Experimental
16. [`encrypted-media`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/encrypted-media)
Experimental
17. [`fullscreen`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/fullscreen)
Experimental
18. [`gamepad`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/gamepad)
Experimental
19. [`geolocation`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/geolocation)
Experimental
20. [`gyroscope`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/gyroscope)
Experimental
21. [`hid`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/hid)
Experimental
22. [`identity-credentials-get`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/identity-credentials-get)
Experimental
23. [`idle-detection`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/idle-detection)
Experimental
24. [`language-detector`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/language-detector)
Experimental
25. [`local-fonts`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/local-fonts)
Experimental
26. [`magnetometer`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/magnetometer)
Experimental
27. [`microphone`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/microphone)
Experimental
28. [`midi`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/midi)
Experimental
29. [`on-device-speech-recognition`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/on-device-speech-recognition)
Experimental
30. [`otp-credentials`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/otp-credentials)
Experimental
31. [`payment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/payment)
Experimental
32. [`picture-in-picture`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/picture-in-picture)
Experimental
33. [`private-state-token-issuance`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/private-state-token-issuance)
Experimental
34. [`private-state-token-redemption`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/private-state-token-redemption)
Experimental
35. [`publickey-credentials-create`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/publickey-credentials-create)
Experimental
36. [`publickey-credentials-get`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/publickey-credentials-get)
Experimental
37. [`screen-wake-lock`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/screen-wake-lock)
Experimental
38. [`serial`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/serial)
Experimental
39. [`speaker-selection`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/speaker-selection)
Experimental
40. [`storage-access`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/storage-access)
Experimental
41. [`summarizer`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/summarizer)
Experimental
42. [`translator`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/translator)
Experimental
43. [`usb`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/usb)
Experimental
44. [`web-share`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/web-share)
Experimental
45. [`window-management`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/window-management)
Experimental
46. [`xr-spatial-tracking`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/xr-spatial-tracking)
Experimental
31. [HTTP resources and specifications](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Resources_and_specifications)
Your blueprint for a better internet.
MDN
- [About](https://developer.mozilla.org/en-US/about)
- [Blog](https://developer.mozilla.org/en-US/blog/)
- [Mozilla careers](https://www.mozilla.org/en-US/careers/listings/)
- [Advertise with us](https://developer.mozilla.org/en-US/advertising)
- [MDN Plus](https://developer.mozilla.org/en-US/plus)
- [Product help](https://support.mozilla.org/products/mdn-plus)
Contribute
- [MDN Community](https://developer.mozilla.org/en-US/community)
- [Community resources](https://developer.mozilla.org/en-US/docs/MDN/Community)
- [Writing guidelines](https://developer.mozilla.org/en-US/docs/MDN/Writing_guidelines)
- [MDN Discord](https://developer.mozilla.org/discord)
- [MDN on GitHub](https://github.com/mdn)
Developers
- [Web technologies](https://developer.mozilla.org/en-US/docs/Web)
- [Learn web development](https://developer.mozilla.org/en-US/docs/Learn_web_development)
- [Guides](https://developer.mozilla.org/en-US/docs/MDN/Guides)
- [Tutorials](https://developer.mozilla.org/en-US/docs/MDN/Tutorials)
- [Glossary](https://developer.mozilla.org/en-US/docs/Glossary)
- [Hacks blog](https://hacks.mozilla.org/)
- [Website Privacy Notice](https://www.mozilla.org/privacy/websites/)
- [Telemetry Settings](https://www.mozilla.org/en-US/privacy/websites/data-preferences/)
- [Legal](https://www.mozilla.org/about/legal/terms/mozilla)
- [Community Participation Guidelines](https://www.mozilla.org/about/governance/policies/participation/)
Visit [Mozilla Corporation’s](https://www.mozilla.org/) not-for-profit parent, the [Mozilla Foundation](https://foundation.mozilla.org/).
Portions of this content are ©1998–2026 by individual mozilla.org contributors. Content available under [a Creative Commons license](https://developer.mozilla.org/docs/MDN/Writing_guidelines/Attrib_copyright_license). |
| Readable Markdown | ## [What cookies are used for](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#what_cookies_are_used_for)
Typically, the server will use the contents of HTTP cookies to determine whether different requests come from the same browser/user and then issue a personalized or generic response as appropriate. The following describes a basic user sign-in system:
1. The user sends sign-in credentials to the server, for example via a form submission.
2. If the credentials are correct, the server updates the UI to indicate that the user is signed in, and responds with a cookie containing a session ID that records their sign-in status on the browser.
3. At a later time, the user moves to a different page on the same site. The browser sends the cookie containing the session ID along with the corresponding request to indicate that it still thinks the user is signed in.
4. The server checks the session ID and, if it is still valid, sends the user a personalized version of the new page. If it is not valid, the session ID is deleted and the user is shown a generic version of the page (or perhaps shown an "access denied" message and asked to sign in again).
Cookies are mainly used for three purposes:
- **Session management**: User sign-in status, shopping cart contents, game scores, or any other user session-related details that the server needs to remember.
- **Personalization**: User preferences such as display language and UI theme.
- **Tracking**: Recording and analyzing user behavior.
### [Data storage](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#data_storage)
In the early days of the web when there was no other option, cookies were used for general client-side data storage purposes. Modern storage APIs are now recommended, for example the [Web Storage API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API) (`localStorage` and `sessionStorage`) and [IndexedDB](https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API).
They are designed with storage in mind, never send data to the server, and don't come with other drawbacks of using cookies for storage:
- Browsers are generally limited to a maximum number of cookies per domain (varies by browser, generally in the hundreds), and a maximum size per cookie (usually 4KB). Storage APIs can store larger amounts of data.
- Cookies are sent with every request, so they can worsen performance (for example on slow mobile data connections), especially if you have a lot of cookies set.
**Note:** To see stored cookies (and other storage that a web page is using) you can use the [Storage Inspector](https://firefox-source-docs.mozilla.org/devtools-user/storage_inspector/index.html) in Firefox Developer Tools, or the [Application panel](https://developer.chrome.com/docs/devtools/progressive-web-apps) in Chrome Developer Tools.
## [Creating, removing, and updating cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#creating_removing_and_updating_cookies)
After receiving an HTTP request, a server can send one or more [`Set-Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie) headers with the response, each one of which will set a separate cookie. A cookie is set by specifying a name-value pair like this:
http
```
Set-Cookie: <cookie-name>=<cookie-value>
```
The following HTTP response instructs the receiving browser to store a pair of cookies:
http
```
HTTP/2.0 200 OK
Content-Type: text/html
Set-Cookie: yummy_cookie=chocolate
Set-Cookie: tasty_cookie=strawberry
[page content]
```
**Note:** Find out how to use the `Set-Cookie` header in various server-side languages/frameworks: [PHP](https://www.php.net/manual/en/function.setcookie.php), [Node.js](https://nodejs.org/docs/latest-v19.x/api/http.html#responsesetheadername-value), [Python](https://docs.python.org/3/library/http.cookies.html), [Ruby on Rails](https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html).
When a new request is made, the browser usually sends previously stored cookies for the current domain back to the server within a [`Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cookie) HTTP header:
http
```
GET /sample_page.html HTTP/2.0
Host: www.example.org
Cookie: yummy_cookie=chocolate; tasty_cookie=strawberry
```
### [Removal: defining the lifetime of a cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#removal_defining_the_lifetime_of_a_cookie)
You can specify an expiration date or time period after which the cookie should be deleted and no longer sent. Depending on the attributes set within the [`Set-Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie) header when the cookies are created, they can be either *permanent* or *session* cookies:
- Permanent cookies are deleted after the date specified in the `Expires` attribute:
http
```
Set-Cookie: id=a3fWa; Expires=Thu, 31 Oct 2021 07:28:00 GMT;
```
or after the period specified in the `Max-Age` attribute:
http
```
Set-Cookie: id=a3fWa; Max-Age=2592000
```
**Note:** `Expires` has been available for longer than `Max-Age`, however `Max-Age` is less error-prone, and takes precedence when both are set. The rationale behind this is that when you set an `Expires` date and time, they're relative to the client the cookie is being set on. If the server is set to a different time, this could cause errors.
- *Session* cookies — cookies without a `Max-Age` or `Expires` attribute – are deleted when the current session ends. The browser defines when the "current session" ends, and some browsers use *session restoring* when restarting. This can cause session cookies to last indefinitely.
**Note:** If your site authenticates users, it should regenerate and resend session cookies, even ones that already exist, whenever a user authenticates. This approach helps prevent [session fixation](https://owasp.org/www-community/attacks/Session_fixation) attacks, where a third-party can reuse a user's session.
To immediately remove a cookie, set the cookie again with the same name, path, and domain (if specified), and set its `Expires` attribute to a date in the past or its `Max-Age` attribute to `0` or negative. This instructs the browser to delete the cookie right away. For example:
http
```
Set-Cookie: id=a3fWa; Max-Age=0
```
You can also clear all cookies associated with a registrable domain using the [`Clear-Site-Data`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Clear-Site-Data) response header. For example, the following header sent from `https://foo.example.com/` would clear all cookies sent by `example.com` and all of its subdomains, such as `all.bar.example.com`.
http
```
Clear-Site-Data: "cookies"
```
There are some techniques designed to recreate cookies after they're deleted. These are known as "zombie" cookies. These techniques violate the principles of user [privacy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#privacy_and_tracking) and control, may violate [data privacy regulations](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie-related_regulations), and could expose a website using them to legal liability.
### [Updating cookie values](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#updating_cookie_values)
To update a cookie via HTTP, the server can send a [`Set-Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie) header with the existing cookie's name and a new value. For example:
http
```
Set-Cookie: id=new-value
```
There are several reasons why you might want to do this, for example if a user has updated their preferences and the application wants to reflect the changes in client-side data (you could also do this with a client-side storage mechanism such as [Web Storage](https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API)).
#### Updating cookies via JavaScript
In the browser, you can create new cookies via JavaScript using the [`Document.cookie`](https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie) property, or the asynchronous [Cookie Store API](https://developer.mozilla.org/en-US/docs/Web/API/Cookie_Store_API "Cookie Store API"). Note that all examples below use `Document.cookie`, as it is the most widely supported/established option.
js
```
document.cookie = "yummy_cookie=chocolate";
document.cookie = "tasty_cookie=strawberry";
```
You can also access existing cookies and set new values for them:
js
```
console.log(document.cookie);
// logs "yummy_cookie=chocolate; tasty_cookie=strawberry"
document.cookie = "yummy_cookie=blueberry";
console.log(document.cookie);
// logs "tasty_cookie=strawberry; yummy_cookie=blueberry"
```
For security purposes, you can't change cookie values by sending an updated `Cookie` header directly when initiating a request, for example, via [`fetch()`](https://developer.mozilla.org/en-US/docs/Web/API/Window/fetch "fetch()") or [`XMLHttpRequest`](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest).
There are good reasons why you shouldn't allow JavaScript to modify cookies at all. You can prevent JavaScript from accessing a cookie by specifying the [`HttpOnly`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#httponly) attribute during its creation. See the [Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#security) section for more details.
## [Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#security)
When you store information in cookies, by default all cookie values are visible to, and can be changed by, the end user. You really don't want your cookies to be misused — for example accessed/modified by bad actors, or sent to domains where they shouldn't be sent. The potential consequences can range from annoying — apps not working or exhibiting strange behavior — to catastrophic. A criminal could for example steal a session ID and use it to set a cookie that makes it look like they are logged in as someone else, taking control of their bank or e-commerce account in the process.
You can secure your cookies in a variety of ways, which are reviewed in this section.
### [Block access to your cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies)
You can ensure that cookies are sent securely and aren't accessed by unintended parties or scripts in one of two ways: with the `Secure` attribute and the `HttpOnly` attribute:
http
```
Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly
```
- A cookie with the `Secure` attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost), which means [man-in-the-middle](https://developer.mozilla.org/en-US/docs/Glossary/MitM) attackers can't access it easily. Insecure sites (with `http:` in the URL) can't set cookies with the `Secure` attribute. However, don't assume that `Secure` prevents all access to sensitive information in cookies. For example, someone with access to the client's hard disk (or JavaScript if the `HttpOnly` attribute isn't set) can read and modify the information.
- A cookie with the `HttpOnly` attribute can't be accessed by JavaScript, for example using [`Document.cookie`](https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie); it can only be accessed when it reaches the server. Cookies that persist user sessions for example should have the `HttpOnly` attribute set — it would be really insecure to make them available to JavaScript. This precaution helps mitigate cross-site scripting ([XSS](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/XSS)) attacks.
**Note:** Depending on the application, you may want to use an opaque identifier that the server looks up rather than storing sensitive information directly in cookies, or investigate alternative authentication/confidentiality mechanisms such as [JSON Web Tokens](https://www.jwt.io/).
### [Define where cookies are sent](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#define_where_cookies_are_sent)
The `Domain` and `Path` attributes define the *scope* of a cookie: what URLs the cookies are sent to.
- The `Domain` attribute specifies which server can receive a cookie. If specified, cookies are available on the specified server and its subdomains. For example, if you set `Domain=mozilla.org` from `mozilla.org`, cookies are available on that domain and subdomains like `developer.mozilla.org`.
http
```
Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly; Domain=mozilla.org
```
If the `Set-Cookie` header does not specify a `Domain` attribute, the cookies are available on the server that sets it *but not on its subdomains*. Therefore, specifying `Domain` is less restrictive than omitting it. Note that a server can only set the `Domain` attribute to its own domain or a parent domain, not to a subdomain or some other domain. So, for example, a server with domain `foo.example.com` could set the attribute to `example.com` or `foo.example.com`, but not `bar.foo.example.com` or `elsewhere.com` (the cookies would still be *sent* to subdomains such as `bar.foo.example.com` though). See [Invalid domains](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#invalid_domains) for more details.
- The `Path` attribute indicates a URL path that must exist in the requested URL in order to send the `Cookie` header. For example:
http
```
Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly; Path=/docs
```
The `%x2F` ("/") character is considered a directory separator, and subdirectories match as well. For example, if you set `Path=/docs`, these request paths match:
- `/docs`
- `/docs/`
- `/docs/Web/`
- `/docs/Web/HTTP`
But these request paths don't:
- `/`
- `/docsets`
- `/fr/docs`
**Note:** The `path` attribute lets you control what cookies the browser sends based on the different parts of a site. It is not intended as a security measure, and [does not protect](https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie#security) against unauthorized reading of the cookie from a different path.
### [Controlling third-party cookies with `SameSite`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#controlling_third-party_cookies_with_samesite)
The [`SameSite`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value) attribute lets servers specify whether/when cookies are sent with cross-site requests — i.e., [third-party cookies](https://developer.mozilla.org/en-US/docs/Web/Privacy/Guides/Third-party_cookies). Cross-site requests are requests where the [site](https://developer.mozilla.org/en-US/docs/Glossary/Site) (the registrable domain) and/or the scheme (http or https) do not match the site the user is currently visiting. This includes requests sent when links are clicked on other sites to navigate to your site, and any request sent by embedded third-party content.
`SameSite` helps to prevent leakage of information, preserving user [privacy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#privacy_and_tracking) and providing some protection against [cross-site request forgery](https://developer.mozilla.org/en-US/docs/Glossary/CSRF) attacks. It takes three possible values: `Strict`, `Lax`, and `None`:
- `Strict` causes the browser to only send the cookie in response to requests originating from the cookie's origin site. This should be used when you have cookies relating to functionality that will always be behind an initial navigation, such as authentication or storing shopping cart information.
http
```
Set-Cookie: cart=110045_77895_53420; SameSite=Strict
```
**Note:** Cookies that are used for sensitive information should also have a short [lifetime](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#removal_defining_the_lifetime_of_a_cookie).
- `Lax` is similar, except the browser also sends the cookie when the user *navigates* to the cookie's origin site (even if the user is coming from a different site). This is useful for cookies affecting the display of a site — for example you might have partner product information along with an affiliate link on your website. When that link is followed to the partner website, they might want to set a cookie stating that the affiliate link was followed, which displays a reward banner and provides a discount if the product is purchased.
http
```
Set-Cookie: affiliate=e4rt45dw; SameSite=Lax
```
- `None` specifies that cookies are sent on both originating and cross-site requests. This is useful if you want to send cookies along with requests made from third-party content embedded in other sites, for example, ad-tech or analytics providers. Note that if `SameSite=None` is set then the `Secure` attribute must also be set — `SameSite=None` requires a *secure context*.
http
```
Set-Cookie: widget_session=7yjgj57e4n3d; SameSite=None; Secure; HttpOnly
```
If no `SameSite` attribute is set, the cookie is treated as `Lax` by default.
### [Cookie prefixes](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie_prefixes)
Because of the design of the cookie mechanism, a server can't confirm that a cookie was set from a secure origin or even tell *where* a cookie was originally set.
An application on a subdomain can set a cookie with the `Domain` attribute, which gives access to that cookie on all other subdomains. This mechanism can be abused in a [session fixation](https://owasp.org/www-community/attacks/Session_fixation) attack.
As a [defense-in-depth measure](https://en.wikipedia.org/wiki/Defense_in_depth_\(computing\)), you can use *cookie prefixes* to impose specific restrictions on a cookie's attributes in supporting user-agents. All cookie prefixes start with a double-underscore (`__`) and end in a dash (`-`). Four prefixes are available:
- **`__Secure-`**: Cookies with names starting with `__Secure-` must be set with the `Secure` attribute by a secure page (HTTPS).
- **`__Host-`**: Cookies with names starting with `__Host-` must be set with the `Secure` attribute by a secure page (HTTPS). In addition, they must not have a `Domain` attribute specified, and the `Path` attribute must be set to `/`. This guarantees that such cookies are only sent to the host that set them, and not to any other host on the domain. It also guarantees that they are set host-wide and cannot be overridden on any path on that host. This combination yields a cookie that is as close as can be to treating the origin as a security boundary.
- **`__Http-`**: Cookies with names starting with `__Http-` must be set with the `Secure` flag by a secure page (HTTPS) and in addition must have the `HttpOnly` attribute set to prove that they were set via the `Set-Cookie` header (they can't be set or modified via JavaScript features such as [`Document.cookie`](https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie) or the [Cookie Store API](https://developer.mozilla.org/en-US/docs/Web/API/Cookie_Store_API)).
- **`__Host-Http-`**: Cookies with names starting with `__Host-Http-` must be set with the `Secure` flag by a secure page (HTTPS) and must have the `HttpOnly` attribute set to prove that they were set via the `Set-Cookie` header. In addition, they also have the same restrictions as `__Host-`\-prefixed cookies. This combination yields a cookie that is as close as can be to treating the origin as a security boundary while at the same time ensuring developers and server operators know that its scope is limited to HTTP requests.
The browser will reject cookies with these prefixes that don't comply with their restrictions. As the application server only checks for a specific cookie name when determining if the user is authenticated or a CSRF token is correct, this effectively acts as a defense measure against [session fixation](https://owasp.org/www-community/attacks/Session_fixation).
**Note:** On the server, the web application *must* check for the full cookie name including the prefix. User agents *do not* strip the prefix from the cookie before sending it in a request's [`Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cookie) header.
For more information about cookie prefixes and the current state of browser support, see the [Prefixes section of the Set-Cookie reference article](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#cookie_prefixes).
## [Privacy and tracking](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#privacy_and_tracking)
Earlier on we talked about how the `SameSite` attribute can be used to control when third-party cookies are sent, and that this can help preserve user privacy. Privacy is a very important consideration when building websites which, when done right, can build trust with your users. If done badly, it can completely erode that trust and cause all kinds of other problems.
Third-party cookies can be set by third-party content embedded in sites via [`<iframe>`](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/iframe)s. They have many legitimate uses include sharing user profile information, counting ad impressions, or collecting analytics across different related domains.
However, third-party cookies can also be used to create creepy, invasive user experiences. A third-party server can create a profile of a user's browsing history and habits based on cookies sent to it by the same browser when accessing multiple sites. The classic example is when you search for product information on one site and are then chased around the web by adverts for similar products wherever you go.
Browser vendors know that users don't like this behavior, and as a result have all started to block third-party cookies by default, or at least made plans to go in that direction. Third-party cookies (or just tracking cookies) may also be blocked by other browser settings or extensions.
**Note:** Cookie blocking can cause some third-party components (such as social media widgets) not to function as intended. As browsers impose further restrictions on third-party cookies, developers should start to look at ways to reduce their reliance on them.
See our [Third-party cookies](https://developer.mozilla.org/en-US/docs/Web/Privacy/Guides/Third-party_cookies) article for detailed information on third-party cookies, the issues associated with them, and what alternatives are available. See our [Privacy](https://developer.mozilla.org/en-US/docs/Web/Privacy) landing page for more information on privacy in general.
Legislation or regulations that cover the use of cookies include:
- The [General Data Privacy Regulation](https://gdpr.eu/) (GDPR) in the European Union
- The ePrivacy Directive in the EU
- The California Consumer Privacy Act
These regulations have global reach. They apply to any site on the *World Wide* Web that users from these jurisdictions access (the EU and California, with the caveat that California's law applies only to entities with gross revenue over 25 million USD, among things).
These regulations include requirements such as:
- Notifying users that your site uses cookies.
- Allowing users to opt out of receiving some or all cookies.
- Allowing users to use the bulk of your service without receiving cookies.
There may be other regulations that govern the use of cookies in your locality. The burden is on you to know and comply with these regulations. There are companies that offer "cookie banner" code that helps you comply with these regulations.
## [See also](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#see_also)
- Related HTTP headers: [`Set-Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie), [`Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cookie)
- Related JavaScript APIs: [`Document.cookie`](https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie), [`Navigator.cookieEnabled`](https://developer.mozilla.org/en-US/docs/Web/API/Navigator/cookieEnabled), [Cookie Store API](https://developer.mozilla.org/en-US/docs/Web/API/Cookie_Store_API "Cookie Store API")
- [Third-party cookies](https://developer.mozilla.org/en-US/docs/Web/Privacy/Guides/Third-party_cookies)
- [Cookie specification: RFC 6265](https://datatracker.ietf.org/doc/html/rfc6265)
- [Cookies, the GDPR, and the ePrivacy Directive](https://gdpr.eu/cookies/) |
| Shard | 53 (laksa) |
| Root Hash | 7082249407640205653 |
| Unparsed URL | org,mozilla!developer,/en-US/docs/Web/HTTP/Guides/Cookies s443 |