Cookie Analyzer — Secure, HttpOnly & SameSite Flags

Secure restricts transmission to HTTPS connections — prevents cleartext Wi-Fi captures. HttpOnly blocks JavaScript document.cookie access — mitigates XSS session theft. SameSite controls cross-site submission — Lax or Strict reduces CSRF class attacks.

Modern browsers default unspecified SameSite to Lax in many cases — explicit Strict is stricter for sensitive sessions.

Multiple Set-Cookie headers may appear on one response — each becomes a separate entry. Redirect chains may accumulate cookies from intermediate responses; we parse all captured Set-Cookie lines.

Name and value split on first equals sign; attributes follow semicolon delimiters.

All session cookies on HTTPS-only sites should set Secure. Missing Secure allows network attackers on degraded connections to capture cookie values if HTTPS downgrade occurs.

Our analyzer marks Secure present or absent per cookie with color-coded badges.

Session identifiers without HttpOnly are readable by any script on the page — including compromised third-party tags. Authentication cookies should always be HttpOnly.

Analytics cookies may intentionally omit HttpOnly for JavaScript access — segment session vs marketing cookies in review.

Strict prevents cookie on all cross-site navigations — strongest CSRF protection but may break OAuth return flows. Lax sends cookies on top-level GET navigations — common default balance.

None requires Secure and allows cross-site embedding contexts — needed for some iframe integrations but increases exposure.

Domain attribute widens cookie scope to subdomains — overly broad Domain=.example.com shares sessions across all subdomains intentionally. Path limits cookie to URL prefix paths.

Review Domain on multi-tenant platforms to prevent accidental cookie leakage across customer subdomains.

Session cookies without Max-Age expire when browser closes. Persistent cookies with long Max-Age increase theft window — balance convenience vs risk on remember-me features.

We surface parsed Max-Age and Expires when present for retention policy audits.

Test POST login endpoint URLs that return Set-Cookie on success. OAuth callbacks often set first-party session — verify flags immediately after code exchange response.

Compare staging vs production — staging sometimes omits Secure on HTTP dev hosts and accidentally ships to prod.

SPAs storing tokens in localStorage bypass HttpOnly protection — prefer HttpOnly cookie sessions when XSS risk exists. JWT in Authorization headers avoids cookie CSRF but shifts XSS exposure to JavaScript storage.

Use JWT decoder on API tokens while cookie analyzer covers browser cookie sessions.

HttpOnly cookies set only via JavaScript document.cookie are not Set-Cookie headers — this tool sees server responses only. Subresource responses on the page load without navigating to each URL are not aggregated — test the document or API that sets session.

Some proxies strip or rewrite Set-Cookie — compare with direct origin fetch if results differ from browser devtools.