XSS (cross-site scripting attack) refers to the attacker embed javascript script in the HTML returned in order to mitigate these attacks, coupled with the need in the HTTP header, set-cookie: httponly-. This attribute can prevent XSS, it disables script javascript to access cookie.
secure - This attribute tells the browser to only send the cookie in the request to https time.
The results should look like this: Set-Cookie = <cookie-value> .....