add further notes

Author: CrowdHailer

src/gleam/http.gleam

@@ -514,6 +514,7 @@ fn parse_cookie_list(cookie_string) {
 /// Fetch the cookies sent in a request.
 ///
 /// Note badly formed cookie pairs will be ignored.
+/// RFC6265 specifies that invalid cookie names/attributes should be ignored.
 pub fn get_req_cookies(req) -> List(tuple(String, String)) {
   let Request(headers: headers, ..) = req
 

src/gleam/http/cookie.gleam

@@ -39,6 +39,12 @@ pub fn empty_attributes() {
 }
 
 /// Helper to create sensible default attributes for a set cookie.
+///
+/// NOTE these defaults ensure you cookie is always available to you application.
+/// However this is not a fully secure solution.
+/// You should consider setting a Secure and/or SameSite attribute.
+///
+/// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Attributes
 pub fn default_attributes() {
   Attributes(
     max_age: option.None,