---
title: Use __Host- Prefix For Cookies
impact: MEDIUM
impactDescription: enforces strict cookie security attributes
tags: cookies, naming, security, csharp
---

## Use __Host- Prefix For Cookies

Prefixing cookies with `__Host-` forces the browser to require `Secure`, `Path=/`, and no `Domain` attribute.

**Incorrect:**

```csharp
Response.Cookies.Append("session", token);
```

**Correct:**

```csharp
// Browser rejects this cookie if attributes are missing
var options = new CookieOptions
{
    Secure = true,
    Path = "/",
    // Domain must be null
};
Response.Cookies.Append("__Host-session", token, options);
```

**Tools:** Browser DevTools