---
title: Use __Host- Prefix For Cookies
impact: MEDIUM
impactDescription: ensures cookie is domain-locked
tags: cookies, prefix, domain, security
---

## Use __Host- Prefix For Cookies

The `__Host-` prefix ensures cookies are only sent to the exact host, preventing subdomain attacks.

**Incorrect (no prefix):**

```go
cookie := &http.Cookie{
    Name:   "session",
    Value:  token,
    Secure: true,
    Path:   "/",
}
// Cookie could be set by subdomain attacker
```

**Correct (__Host- prefix):**

```go
cookie := &http.Cookie{
    Name:     "__Host-session",
    Value:    token,
    Secure:   true,
    Path:     "/",
    HttpOnly: true,
    SameSite: http.SameSiteStrictMode,
    // Domain must NOT be set for __Host-
}
```

**__Host- requirements:**
- Must have `Secure: true`
- Must have `Path: "/"`
- Must NOT have `Domain` attribute set
- Cannot be set from a subdomain

**Tools:** Browser DevTools, Security Audit
