Skip to main content

Cookies and Https

SuperTokens ensures that cookies are secured by enabling the secure flag when generating session cookies.

When set, the secure attribute limits the scope of the cookie to be attached only to secure domains. This results in the cookie only being attached to requests transmitted over https. This, in turn, prevents cookie theft via man in the middle attacks.


If not explicitly set, SuperTokens automatically determines the value for the secure attribute based on your API domain having http or https.

Explicitly setting the secure attribute#

import SuperTokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";

supertokens: {
connectionURI: "...",
appInfo: {
apiDomain: "...",
appName: "...",
websiteDomain: "..."
recipeList: [
cookieSecure: true,
Looking for older versions of the documentation?
Which UI do you use?
Custom UI
Pre built UI