Cookie Scanner — Secure, HttpOnly & SameSite Flags
Scan Set-Cookie flags — Secure, HttpOnly, SameSite, Max-Age, Domain, and Path
How to Use This Tool
- Enter the HTTPS URL that sets cookies — often a login page or API auth endpoint.
- Server fetch follows redirects and captures Set-Cookie headers from the response chain.
- Each cookie line splits into name-value pair and attribute flags.
- Secure, HttpOnly, and SameSite are detected case-insensitively from attribute tokens.
- Max-Age, Domain, Path, and Expires parse when declared on the cookie string.
- Review count and per-cookie badges — prioritize missing Secure and HttpOnly on session cookies.
About This Tool
Privacy regulations and security audits increasingly require documented cookie posture — session identifiers without HttpOnly expose XSS theft paths, missing Secure flags allow network interception, and weak SameSite settings enable cross-site request abuse. VSPIC cookie scanner calls the cookies action with your URL, follows redirects, parses all Set-Cookie headers, and reports each cookie's security attributes with count summary — same backend as cookie-analyzer on the security tools path.
Every cookie shows name plus Secure, HttpOnly, and SameSite detection alongside optional Max-Age, Domain, Path, and Expires when present. Use after login flow changes, OAuth integrations, and marketing tag deployments verifying session cookie hardening on production endpoints.
Common use cases
- •Inspect HTTP headers and user-agent strings
- •Analyze email headers for phishing investigation
- •Generate strong passwords for staging environments
Why use VSPIC for ?
- Cookie scanner SEO framing on action cookies backend.
- Secure, HttpOnly, and SameSite badges per Set-Cookie entry.
- Redirect chain parsing captures cookies from intermediate responses.
- count field summarizes total cookies set on fetch.
- status and url fields document HTTP response context.
- Free instant scan on publicly reachable URLs.
Cookie security attributes overview
Secure restricts transmission to HTTPS connections — prevents cleartext Wi-Fi captures. HttpOnly blocks JavaScript document.cookie access — mitigates XSS session theft. SameSite controls cross-site submission — Lax or Strict reduces CSRF class attacks.
Modern browsers default unspecified SameSite to Lax in many cases — explicit Strict is stricter for sensitive sessions.
Set-Cookie parsing behavior
handleCookies fetches target URL with SSRF-safe validation, follows redirects, and parses Set-Cookie via parseSetCookies. Multiple Set-Cookie headers on one response each become separate entries in cookies array.
Return shape includes url, status, cookies array, and count — identical to cookie-analyzer extended API path.
Secure flag expectations
All session cookies on HTTPS-only sites should set Secure. Missing Secure allows network attackers on degraded connections to capture cookie values if HTTPS downgrade occurs.
cookie scanner marks Secure present or absent per cookie for audit checklists.
HttpOnly and XSS risk
Session identifiers without HttpOnly are readable by any script on the page — including compromised third-party tags. Authentication cookies should always be HttpOnly.
Analytics cookies may intentionally omit HttpOnly for JavaScript access — segment session vs marketing cookies in privacy reviews with privacy-score-checker notes.
SameSite policy selection
Strict prevents cookie on all cross-site navigations — strongest CSRF protection but may break OAuth return flows. Lax sends cookies on top-level GET navigations — common default balance.
None requires Secure and allows cross-site embedding contexts — needed for some iframe integrations but increases exposure.
Relationship to cookie-analyzer
cookie-scanner and cookie-analyzer both call action cookies with url parameter — identical JSON. cookie-analyzer lives on the security new tools path; cookie-scanner targets cookie scanner SEO on missing-tools path.
API: GET /ip-tools/api/extended?action=cookies&url=https://example.com
Privacy and compliance workflows
Run on homepage, login, checkout, and OAuth callback URLs before privacy policy updates. Document findings in DPIA appendices alongside security-headers-checker grades.
Pair with ip-leak-test when privacy programs also validate VPN egress reputation separate from cookie posture.
Login and OAuth testing workflow
Test POST login endpoint URLs that return Set-Cookie on success. OAuth callbacks often set first-party session — verify flags immediately after code exchange response.
Compare staging vs production — staging sometimes omits Secure on HTTP dev hosts and accidentally ships to prod.
Limitations and devtools correlation
This tool sees server Set-Cookie responses only — not document.cookie writes. Complex SPAs may load third-party cookies without Set-Cookie on the tested URL — manual browser Application tab review remains necessary.
We do not permanently store scanned URLs.
Important notes & limitations
- HttpOnly cookies set only via JavaScript document.cookie are not Set-Cookie headers.
- Subresource Set-Cookie from unvisited URLs not aggregated — test session endpoint directly.
- Some proxies strip or rewrite Set-Cookie — compare with browser devtools when results differ.
- Requires publicly reachable URL — localhost is not accessible from our server.
- Scores flags only — does not classify marketing versus necessary cookie categories.
Frequently Asked Questions
Yes. VSPIC offers this cookie scanner at no cost with no account required. Results load in real time.
We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.
Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.
The URL may not set cookies without credentials, or cookies require POST login first. Test the endpoint that actually issues Set-Cookie.
Same cookies API and JSON. This page targets cookie scanner SEO; cookie-analyzer uses cookie analyzer terminology.
Best practice yes. Browsers increasingly enforce Secure for SameSite=None; all auth cookies should set Secure explicitly.
Lax for most apps. Strict for high-security apps without cross-site OAuth. None only when cross-site embedding requires it plus Secure.
Yes. We follow redirects and parse Set-Cookie from responses in the chain.
cookies with the url parameter.
Next step for your check
Continue with cookie analyzer on VSPIC.
Related Tools
Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.
Cookie Analyzer
Analyze cookies — Secure, HttpOnly, SameSite flags
Use Free →Security Headers Checker
HSTS, CSP grade A–F, per-header score, full header map
Use Free →Privacy Score Checker
Privacy Score Checker — free online tool
Use Free →Mixed Content Checker
Find HTTP resources on HTTPS pages
Use Free →Header Checker
Inspect HTTP request and response headers
Use Free →Link Checker
Verify if a URL is reachable and check HTTP status
Use Free →
Trusted by Users Who Value Privacy
Always Free
No premium plan ever
100% Private
Files processed in browser
Instant Results
Convert in seconds
Works Everywhere
Any device, any OS