HTTP State Management Mechanism (Cookies)
Sessions, auth tokens, tracking, and CSRF defenses all run through cookies. Know SameSite, Secure, HttpOnly, and domain scoping to avoid security bugs.
What It Defines
Defines HTTP cookies: Set-Cookie/Cookie headers, domain scoping, path scoping, HttpOnly, Secure, SameSite attributes. The primary session mechanism for web applications.
Canonical (Normative)
Convenient (Practical)
The canonical publication point for finalized RFCs. If a protocol is standardized as an RFC, the RFC Editor text is the normative final reference. Published by the IETF, IRTF, IAB, and independent stream.
Related Specs
This is the core contract of every web API, browser request, and server response. You can't design or debug HTTP without knowing this.
Every browser-side API call to a different origin hits CORS. Misconfigured CORS is a top source of dev frustration and security holes.
A well-configured CSP is the strongest mitigation against XSS. Required by modern security audits and browser hardening.