Cookie Analyzer

The Cookie Analyzer inspects the cookies a website sets when you load it, listing each cookie's name and the security attributes attached to it. Cookies are small pieces of data the server stores in your browser to maintain sessions, remember preferences, and track behavior across requests, and they are delivered through the Set-Cookie response header. This tool decodes those headers so you can see exactly what a site is storing and how carefully it is protecting that data.

The key attributes it reports are the ones that govern security and scope. The Secure flag ensures a cookie is only sent over HTTPS, HttpOnly prevents JavaScript from reading it which blocks a major cross-site scripting theft vector, and SameSite (Strict, Lax, or None) controls whether the cookie travels on cross-site requests, which is the core defense against cross-site request forgery. The tool also surfaces expiration and domain or path scope, distinguishing short-lived session cookies from long-lived persistent ones.

Common use cases include privacy and GDPR or ePrivacy compliance reviews, auditing third-party tracking cookies, verifying that authentication cookies are properly hardened after a framework change, and debugging session issues where a login does not persist. It pairs naturally with the Security Headers Checker for a complete picture of a site's response-level protections and with an SSL check when confirming that Secure cookies are actually delivered over encrypted connections.

A practical tip: any cookie carrying a session or auth token should have Secure, HttpOnly, and SameSite set, and SameSite=None must always be combined with Secure or modern browsers will reject it. Watch for an excessive number of third-party cookies, which often signals heavy ad or analytics tracking that may need consent banners, and prefer scoping cookies tightly with explicit domain and path values rather than leaving them broad.