For your local system testing URL (http://localhost/dfw/), 
here's how you should configure the cookie attributes in the plugin settings panel:

Setting	-------------------- Value	----------------  Explanation
Cookie Domain	----------localhost	------------------Matches your local domain; do not use .localhost (dot-prefixed), as some browsers reject it.
Cookie Path--------------	/dfw/	-----------------Matches your project folder. Do not use just /, since your site lives under /dfw/.
SameSite-----------------	Lax	---------------------Recommended for development. Use Strict for sensitive actions (e.g., logins), or None only if testing cross-site scenarios (requires HTTPS).


Steps to Set This in Plugin Admin Panel
Go to WP Admin → Settings → Secure Cookie.

Enter the following:

Cookie Domain:--- localhost

Cookie Path: ---- /dfw/

SameSite Attribute:---  Lax

Click Save Settings.


Why Secure: off is not showing
You're on http:// (not HTTPS).

The secure flag is only set on cookies when is_ssl() is true (i.e., HTTPS is active).

On localhost (without SSL), it will not show Secure — this is expected.

✅ To test Secure: true, you must:
Access your site via https://localhost or https://127.0.0.1 with a valid local certificate.

Ensure WordPress is using HTTPS:
Go to Settings → General → update both Site URL and WordPress URL to use https.

“Warning Sensitivity”
-----------------------
Off – No warning at all

Low – Warn only on refresh/back (recommended)

Strict – Warn on any unload unless user clicks "Log In"


Host Header Injection
---------------------------
added the Host Header Validation feature to the plugin.
entered valid hosts in the settings (e.g. localhost or example.com).
Use Case
-----------
If your site is hosted at: http://localhost/dfw/
Then in settings you’d enter: localhost
In production:  www.example.com, example.com

Method 1: Using cURL in Terminal
Open terminal or command prompt:

curl -H "Host: evil.com" http://localhost/dfw/
If your plugin is working correctly, it should return:

Invalid Host header: evil.com
with a 400 Bad Request status.

Method 2: Using Postman
------------------------
Open Postman

Create a new GET request to:
http://localhost/dfw/
Go to Headers tab

Add a new header:

Key: Host
Value: evil.com
Hit Send

✅ If working: You’ll see your plugin’s warning message.

❌ If NOT working: You’ll see the normal page.

