---
title: Use Host Prefix for Secure Cookies
impact: LOW
impactDescription: prevents cookie tossing and shadowing from subdomains
tags: security, cookies, prefixes, host-prefix
---

## Use Host Prefix for Secure Cookies

Use the `__Host-` prefix for highly sensitive cookies to ensure they are tied to a specific host and required to be secure.

**Incorrect (standard cookie):**

```ruby
cookies[:_session] = { value: "abc", secure: true }
```

**Correct (host-prefixed cookie):**

```ruby
cookies["__Host-session"] = { 
  value: "abc", 
  secure: true, 
  path: "/", 
  httponly: true 
}
```

**Tools:** Manual Review
---