Cookie Security Audit

Inspect Cookie / Set-Cookie attributes and consistency in your browser. No input is sent to a server. Use it for first-pass operational troubleshooting.

Status

Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.

How to use

Paste Set-Cookie lines and click Audit. Check missing or conflicting Secure/HttpOnly/SameSite settings.

Notes (this tool)

  • Browser differences and spec updates can change behavior even with the same attributes.
  • In production, also check Path/Domain conflicts and overwrites across multiple cookies.

About this page

What does this tool do?

Checks Secure/HttpOnly/SameSite and warns about risky combinations.

Recommendations (practical)

  • SameSite=None must be paired with Secure
  • Use HttpOnly for sensitive cookies
  • Prefer SameSite=Lax or stricter
  • Set-Cookie Inspect
  • Cookie Inspect

What this tool does

  • List presence of Secure/HttpOnly/SameSite
  • Detect risky combinations

Debugging workflow (recommended)

  • Paste Cookie or Set-Cookie values
  • Review attributes such as Secure, HttpOnly, and SameSite
  • Check Domain and Path conflicts with related tools

Operational notes

  • Behavior can vary with browser implementation differences and default changes.
  • Duplicate cookie names and Path or Domain differences often cause operational issues.

Referenced specs

  • MDN: Set-Cookie

FAQ

Is Secure mandatory with SameSite=None?

Yes. In practice, SameSite=None should always be paired with Secure.

What does HttpOnly protect against?

It blocks JavaScript access to cookies and reduces session theft risk during XSS incidents.

References

  1. MDN: Set-Cookie

These links are generated from site_map rules in recommended diagnostic order.

  1. How to Diagnose Set-Cookie Not Persisting — Isolate cookie persistence failures by checking Domain/Path/Secure/SameSite in order
  2. How to Diagnose Lost Login After OAuth Return — Isolate cookie-delivery failures after IdP return across SameSite, Secure, Path/Domain, and collisions
  3. Cookie Incident Operational Checklist — Standardize response from triage to permanent fixes across storage failures, OAuth return issues, and same-name collisions
  4. How to choose cookie tools — Route Set-Cookie, Domain-Path, SameSite, conflict, and size checks by symptom
  5. Password Policy Generator — Create policy text and validation regex from requirements
  6. URL Safe Random — Generate random strings using URL/filename-safe characters
  7. Token Format Checker — Infer JWT/UUID/Hex/Base64URL candidates from input text
  8. Password Seed Generator — Derive reproducible passwords from seed and constraints