What is a cookie and how are cookies secured?

A cookie is a small piece of data stored by the browser and sent with every HTTP request to the originating domain. Used for session management, user preferences, and tracking. Security attributes: HttpOnly: prevents JavaScript from accessing the cookie — mitigates XSS cookie theft. Secure: cookie is only sent over HTTPS connections. SameSite: controls cross-site sending — Strict (never sent cross-site), Lax (sent on top-level navigations), None (always sent, requires Secure). Domain and Path: restrict which requests include the cookie. Expiration: session cookies are deleted when the browser closes; persistent cookies have an explicit expiry. Best practice for session cookies: always set HttpOnly, Secure, and SameSite=Lax (or Strict).