Cookie Parser & Auditor

Paste Set-Cookie header(s), a Cookie header, or document.cookie — parse all attributes, flag missing Secure/HttpOnly, SameSite=None-without-Secure, and show human-readable expiry. Values masked by default.

Runs 100% client-side
Copy output
On this page4 sections
Accepts: Set-Cookie lines · Cookie: header · document.cookie string

HOW TO USE

  1. 01Paste a Set-Cookie header, a Cookie header, or a document.cookie string — the format is auto-detected.
  2. 02Review each cookie's attributes and the Secure / HttpOnly / SameSite findings; values are masked by default.
  3. 03Copy the parsed output as Markdown into a security bug report.

Try it

Set-Cookie: session=abc123; SameSite=None; Path=/ — flags SameSite=None without Secure

WHEN TO USE

Use when you need to inspect cookie attributes from a Set-Cookie response header, a Cookie request header, or a document.cookie string — checking for missing Secure/HttpOnly flags, SameSite policy, broad domain scope, and expiry. Paste in any format; the tool auto-detects. Cookie values are masked by default so you can safely share the parsed output in bug reports.

WHAT BUGS THIS FINDS

  • HttpOnly missing on session cookie

    Without HttpOnly, JavaScript (including injected XSS scripts) can read the session token via document.cookie.

  • Secure flag absent on production

    A session cookie without Secure will be sent over HTTP connections, exposing it to network eavesdropping.

  • SameSite=None without Secure

    Browsers reject SameSite=None cookies that lack the Secure attribute — causes cross-site requests to silently fail with no network error.

  • Overly broad Domain attribute

    Domain=.example.com shares the cookie across all subdomains — including unrelated ones that may be less trusted.

QA USE CASES

01

Audit session cookie security attributes

Paste the Set-Cookie header from a login response — confirm HttpOnly, Secure, and SameSite=Strict or Lax are set on the session cookie.

02

Debug a SameSite=None CORS rejection

Paste the Set-Cookie header and confirm SameSite=None is paired with Secure — without Secure, the browser silently rejects SameSite=None cookies.

03

Check cookie expiry math

Paste a Set-Cookie with Max-Age or Expires — get a human-readable expiry date instead of doing the arithmetic manually.

04

Inspect multiple cookies at once

Paste all Set-Cookie headers from a response (one per line) — get a card per cookie showing all attributes side by side.

05

Verify document.cookie format

Paste a document.cookie value from the browser console — parse each name=value pair to confirm expected cookies are present.