Cookies carry sessions, preferences and tracking identifiers, and their security depends on three flags: Secure, HttpOnly and SameSite. This tool does two things: it lists the cookies the current page can read via document.cookie, and — because the most security-relevant cookies are HttpOnly and invisible to JavaScript — it also parses a pasted Set-Cookie header so you can audit those flags directly without opening network tools.
The two views: page cookies vs. header audit
Page cookie list: document.cookie returns only the non-HttpOnly cookies for the current origin as name=value pairs. Seeing which cookies are readable by JavaScript is itself a privacy signal — if a session token appears in this list, it is also readable by any injected script, which is exactly what HttpOnly is meant to prevent.
Header auditor: The security-critical cookies — session IDs, auth tokens, CSRF tokens — are typically HttpOnly, so they never appear in the page list. To audit them, copy the raw Set-Cookie line from your browser’s network tab or a curl response and paste it here. The parser reads every attribute.
What the auditor checks
The parser splits the header on ; and reads: Secure, HttpOnly, SameSite, Domain, Path, Max-Age and Expires. It then applies three validation rules:
SameSite=NonerequiresSecure, or modern browsers reject the cookie outright — your session will break.- A cookie with a session/auth name (
session,sid,token,auth,jwt) should carry bothSecureandHttpOnly. Missing either is flagged. - Missing
SameSitedefaults toLaxin modern browsers but is worth setting explicitly so behaviour does not depend on the browser version.
Worked example
Set-Cookie: sid=abc123; Path=/; SameSite=None
This raises a warning: SameSite=None is set without Secure, so the browser drops the cookie and the session breaks. The correct header is:
Set-Cookie: sid=abc123; Path=/; HttpOnly; Secure; SameSite=Lax
That clears all warnings: the session ID is hidden from scripts, only sent over HTTPS, and restricted from being included on cross-site requests automatically.
Common cookie security mistakes
| Mistake | Risk |
|---|---|
| Session token readable by JS (no HttpOnly) | Stolen by XSS |
| Cookie sent over HTTP (no Secure) | Intercepted on the network |
| SameSite=None without Secure | Rejected by all modern browsers |
| No SameSite attribute | Browser-dependent behaviour; CSRF exposure in older browsers |
Everything runs locally — the auditor inspects only what you paste and makes no network requests.