src/main/java/com/gcsc/guide/auth/AuthController.java

@@ -227,9 +227,11 @@ public class AuthController {
 
     private void clearSessionCookies(HttpServletResponse response) {
         response.addHeader(HttpHeaders.SET_COOKIE,
-            ResponseCookie.from("GC_SESSION", "").path("/").maxAge(0).build().toString());
+            ResponseCookie.from("GC_SESSION", "")
+                .path("/").httpOnly(true).secure(true).sameSite("Lax").maxAge(0).build().toString());
         response.addHeader(HttpHeaders.SET_COOKIE,
-            ResponseCookie.from("gc_proxy_auth", "").path("/").maxAge(0).build().toString());
+            ResponseCookie.from("gc_proxy_auth", "")
+                .path("/").httpOnly(true).secure(true).sameSite("Lax").maxAge(0).build().toString());
     }
 
     private String getCookieValue(HttpServletRequest request, String name) {