← Back to Tools

🍪 Cookie Security Analyzer

Paste a Set-Cookie header to check its security attributes and understand what each flag does.

Paste the value of a Set-Cookie header (with or without the 'Set-Cookie:' prefix).

📚 Why cookie flags matter

Cookies are the most common way web apps maintain login sessions. A poorly configured session cookie is often the easiest path for an attacker to hijack an authenticated session.

Without HttpOnly: Any JavaScript on the page (including injected XSS) can read document.cookie and steal your session token.

Without Secure: If a user ever visits the HTTP version of your site, the browser sends the cookie in plaintext — visible to anyone on the same network.

Without SameSite: The cookie is sent on cross-site requests — enabling CSRF attacks where another site tricks the browser into making requests to yours.