Cookie Security Flags: HttpOnly, Secure, SameSite

Cookies can be made safer using flags. ## Key flags - HttpOnly: JS cannot read cookie (helps reduce damage from XSS) - Secure: cookie only sent over HTTPS - SameSite: reduces CSRF by controlling cross-site sends ## Example setcookie with options ```php setcookie("session_id", $value, [ "expires" => time() + 3600, "path" => "/", "secure" => true, "httponly" => true, "samesite" => "Lax" ]); ``` ## Practical note - Use Secure only when HTTPS is enabled - SameSite=None requires Secure=true > Next: Email sending, SMTP, and safe mail flows in PHP.