diff --git a/vlib/builtin/string_test.v b/vlib/builtin/string_test.v
index 9bb7124db9..d16aceb112 100644
--- a/vlib/builtin/string_test.v
+++ b/vlib/builtin/string_test.v
@@ -233,6 +233,11 @@ fn test_replace_each() {
 		'[code]', '<code>',
 		'[/code]', '</code>'
 	]) == '<b>bold</b> <code>code</code>'
+	bb2 := '[b]cool[/b]'
+	assert bb2.replace_each([
+		'[b]', '<b>',
+		'[/b]', '</b>',
+	]) == '<b>cool</b>'
 }
 
 fn test_itoa() {
diff --git a/vlib/vweb/tmpl/tmpl.v b/vlib/vweb/tmpl/tmpl.v
index e75784120d..61ecb34484 100644
--- a/vlib/vweb/tmpl/tmpl.v
+++ b/vlib/vweb/tmpl/tmpl.v
@@ -76,7 +76,7 @@ _ = header
 		}
 		// HTML, may include `@var`
 		else {
-			s.writeln(line.replace('@', '\x24').replace('\'', '"') )
+			s.writeln(line.replace('@', '\x24').replace("'", '"') )
 		}
 	}
 	s.writeln(STR_END)
diff --git a/vlib/vweb/vweb.v b/vlib/vweb/vweb.v
index a422b6fbab..d97802b8a3 100644
--- a/vlib/vweb/vweb.v
+++ b/vlib/vweb/vweb.v
@@ -74,11 +74,11 @@ pub fn (ctx Context) not_found(s string) {
 
 pub fn (ctx mut Context) set_cookie(key, val string) { // TODO support directives, escape cookie value (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie)
 	//println('Set-Cookie $key=$val')
-	ctx.add_header('Set-Cookie', '$key=$val')
+	ctx.add_header('Set-Cookie', '$key=$val;  Secure; HttpOnly')
 }
 
 pub fn (ctx &Context) get_cookie(key string) ?string { // TODO refactor
-	cookie_header := ' ' + ctx.get_header('Cookie')
+	cookie_header := ' ' + ctx.get_header('cookie')
 	cookie := if cookie_header.contains(';') {
 		cookie_header.find_between(' $key=', ';')
 	} else {