Chrome 140’s New Cookie Prefixes: A Digital “Stamp of Authenticity” for Your Online Security

Published by NewsPR Today | August 2025

Have you ever pondered what occurs when you log into your preferred website? A cookie is a small piece of digital data that is sent from the website to your browser when you enter your username and password.

By proving you are a legitimate user and safeguarding your session, the cookie acts as a kind of backstage pass.

But what if a bad actor could steal or modify that pass? That’s a huge web security problem. Chrome 140 introduces a new feature to solve it. The beta for Chrome 140 was pushed on August 6, 2025, and it contains a key modification: HTTP cookie prefixes. While it sounds fancy, this modification significantly improves our internet security.

At NewsPR Today, we feel that it’s absolutely important for everybody to know about these changes because pretty much everybody is online. Let’s take apart what these new prefixes do for you and the internet.

The Issue: When a Cookie Isn’t What It Looks Like

We must first analyse the issue in order to comprehend the solution. The internet is constantly changing. Websites do more than just display static pages; they run code, usually JavaScript, in your browser. Website functionality, including pop-up menus and real-time updates, is made possible by this code.

However, the same code can be misused. Cross-Site Scripting, or XSS, is one of the most significant issues with web security. An XSS attack occurs when a malevolent user inserts their malicious script into a legitimate website. Unbeknownst to you, your browser runs the attacker’s code when the page loads. This script has the potential to steal or alter your cookies, among other very unpleasant consequences.

Think of your bank’s secure cookie stored for a session. A hacker might inject a script into it using an XSS attack, which would try to alter that cookie’s value. The browser sometimes can’t distinguish whether the alteration came from the actual server or an evil script, so it might accept the alteration. This jeopardizes your session. Developers have wrestled with this nasty flaw for years.

The Solution: A “Stamp of Authenticity” for Cookies

The HTTP cookie prefixes __Http and __HostHttp are both forms of a digital “stamp of authenticity” that a server can put on a cookie. When a browser receives a cookie that bears one of these stamps, it knows to impose strict rules. If these rules are not obeyed, the browser merely throws away the cookie, refusing to store or return it to the server.

This mechanism permits a web server to explicitly mark, “This is my cookie, and only I can change or control it.” Any client-side JavaScript attempt, valid or not, to alter a cookie with this prefix will be unsuccessful. This mechanism gives developers the ability to more effectively secure sensitive data such as session tokens and authentication data.

Decomposing the New Prefixes

Let’s examine more closely what each prefix accomplishes and why it’s necessary.

__Http

Cookies with the __Http prefix must satisfy two important conditions:

• Secure: This makes the cookie only sendable in a secure, encrypted HTTPS connection. This protects against attacks where a hacker captures unencrypted information.
• HttpOnly: This is important. The HttpOnly attribute provides that the cookie is completely off-limits to client-side JavaScript. A script executing in your browser cannot read, write, or change it.

These two properties, enforced by the __Http prefix, make developers feel secure. If they receive a cookie with this prefix, they can be sure that it was established by their server and not by an attacker’s script.

__HostHttp

The __HostHttp prefix makes it even more secure. It has all of the requirements of __Http (Secure and HttpOnly) but adds two additional:

• Path=/: This indicates the cookie will be valid for the entire host (the primary website domain) and not a particular subdirectory.
• No Domain attribute: This is an important security enhancement. It prevents the cookie from being shared with any of the subdomains. For example, if a cookie was created on example.com, it cannot be accessed by blog.example.com. This makes for a host-only cookie that minimizes the risk of a subdomain compromise on the main site.

The __HostHttp prefix gives a strong assurance that the cookie is firmly tied to the precise server which granted it. It’s a “host-only” cookie with premium security settings, so it is best used for most sensitive data, like initial authentication tokens.

Why This Matters for the Web

You may not see these changes immediately, but they have a significant impact on the security of the web applications you commonly access.

• For Businesses and Developers: The new prefixes provide an easy method to identify crucial cookies. This simplifies security procedures and ensures a robust protection mechanism. Rather than using many ad-hoc checks, a developer can simply utilize the correct prefix and rely on the browser to implement the rules. This is vital for enterprises and applications that handle sensitive user information, financial transactions, and sessions.
• For You, the User: This tool has the goal of making the web more secure. Though you won’t be notified that “Your cookie is now safer,” the effect is an enhanced secure browsing experience. By keeping client-side scripts away from server-directed cookies, these prefixes drastically reduce the risk of all manner of attacks, ranging from session hijacking to data tampering. It adds another layer of safety into the very foundation of the internet to protect you from evolving threats.

A Look at Browser Coordination

This update’s industry-wide collaboration is a plus. The HTTP Working Group, a team of specialists who assist in defining the core protocols of the internet, came up with the concept for these prefixes. Other major browsers have already embraced the specification after it underwent a rigorous technical review. For instance, Mozilla made a deliberate effort to improve security by adding support for these prefixes to Firefox in July 2025. For all web users to experience consistent behaviour and efficacy, cross-browser implementation is required.

For Developers: How to Use the New Prefixes

Using these prefixes is straightforward but requires server-side changes. For example:

Set-Cookie: __HttpSessionId=abc123; Secure; HttpOnly; SameSite=Strict

Set-Cookie: __HostHttpAuthToken=xyz789; Path=/; Secure; HttpOnly; SameSite=Strict

If you try to set these cookies via JavaScript, Chrome will reject them. If you forget to include the required attributes, the browser will also block them.

Wider Trends in Web Security

This update is not a singular modification. It fits into a broader pattern in which browsers are becoming more watchful of user security and privacy. Similar trends have been observed, such as the progressive elimination of third-party cookies, which mainly impacts digital advertising, and a greater emphasis on privacy-focused substitutes like the DuckDuckGo browser.

Both initiatives show a shared interest in making the web safer and more secure, even though cookie prefixes offer a different functionality from privacy-oriented cookie constraints. They are among the growing number of security features that work in tandem to protect users, such as:

• Content Security Policy (CSP): A layer of security that prevents XSS attacks by dictating which resources a page can load.
• SameSite Cookies: A flag that instructs browsers when to limit cookies to the same site, mitigating the dangers of Cross-Site Request Forgery (CSRF) attacks.
• HTTPS Everywhere: The effort to have encrypted connections for all web traffic by default.

The new cookie prefixes complement these current safeguards, providing another necessary building block to the web’s security infrastructure.

Practical Takeaways for the Curious Reader

Though this is a technical change, it’s beneficial to know what it means for your online life. Here are a few key takeaways:

• Trust the Updates: New features and a new look aren’t the only things that come with browser updates. They frequently come with significant security enhancements. To benefit from the newest security features, make sure your desktop and mobile browsers are up to date.
• Check for HTTPS: Make sure that the address bar of any website you sign in to or enter sensitive information on displays a padlock. As a prerequisite for the new secure cookie prefixes, this indicates a secure connection.
• Be Mindful of the Larger Landscape: The internet is still developing. What is safe now might not be safe tomorrow. Knowing these developments helps you stay aware of the reasons behind the need for new security solutions and how they protect you against emerging dangers. The industry’s efforts to surpass impending challenges are exemplified by the new HTTP cookie prefixes.