only sent over HTTPS "httponly" => true, // Prevent client-side JavaScript access to the recipient, for any liability that these contractual assumptions