# Browser Security Foundations: CSP, CORS, Cookies, and Sessions > **Intro:** These controls are often configured by copy-paste. They deserve better because weak defaults here create long-lived product risk that is hard to see in backend dashboards. > > **What this page includes** > > * practical guidance for CSP and CORS > * cookie and session rules that product teams should standardize > * common mistakes in browser storage > * release checks for frontend security posture ## Cookie and session defaults A practical baseline is: * `Secure` for session cookies; * `HttpOnly` for cookies that do not need JavaScript access; * explicit `SameSite` rather than relying on browser defaults; * short idle and absolute timeouts for high-risk sessions. Current browser behavior makes `SameSite=Lax` a safer baseline than the historic default, and `SameSite=None` should only be used with `Secure` over HTTPS. ## CORS CORS is not an authorization system. Treat it as a browser exposure control. Good defaults: * allow exact origins instead of wildcards; * do not combine `Access-Control-Allow-Credentials: true` with broad origins; * keep preflight and method allowances narrow. ## CSP Use CSP to reduce script execution risk, especially when marketing tags, support tools, or user-generated content enter the page. Start with reporting, then tighten around script sources, object sources, framing, and inline script strategy. ## Browser storage Avoid putting sensitive session material in `localStorage` unless the design has a strong reason and compensating controls. Session and token design should assume browser-side JavaScript compromise is possible in some failure scenarios. ## Release checks * cookie attributes validated in production headers; * CORS reviewed for exact origins and credential use; * CSP present and tested on high-value pages; * no raw secrets or privileged state in frontend build output. ## Related pages * [Session Security, Browser State, and AuthZ Review Patterns](https://github.com/D3One/Product-Security-Gitbook/blob/main/18-frontend-and-browser-security/session-security-authn-authz-and-browser-state-review.md) * [CSP, SRI, and Third-Party JavaScript Control Patterns](https://github.com/D3One/Product-Security-Gitbook/blob/main/18-frontend-and-browser-security/csp-sri-and-third-party-javascript-control-patterns.md) * [OAuth for SPA, BFF, and Frontend Secret Anti-Patterns](/application-security-and-secure-sdlc/index-2/oauth-for-spa-bff-and-frontend-secret-antipatterns.md) * [Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/application-security-and-secure-sdlc/index-2/browser-security-foundations-csp-cors-cookies-and-sessions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.