FREE TOOL

Cookie Security Checker

Analyze any domain's cookie security attributes. Check Secure, HttpOnly, and SameSite flags to find misconfigured cookies.

What are cookie security attributes?

Cookies can carry three security flags. Secure ensures the cookie is only sent over HTTPS. HttpOnly prevents JavaScript from reading the cookie, which defends against XSS attacks. SameSite controls whether the cookie is sent with cross-site requests, protecting against CSRF. A properly secured cookie should have all three attributes set.

Why check cookie security?

Cookies often contain session tokens, authentication state, and tracking identifiers. If a session cookie lacks the Secure flag, it can be intercepted on public Wi-Fi. Without HttpOnly, a single XSS vulnerability lets an attacker steal every cookie. Missing SameSite leaves users exposed to cross-site request forgery. These attributes are your first line of defense.

How to fix insecure cookies

In most frameworks, you can set cookie attributes when creating the cookie. For example, in Express.js use { secure: true, httpOnly: true, sameSite: "Lax" }. In Django, set SESSION_COOKIE_SECURE, SESSION_COOKIE_HTTPONLY, and SESSION_COOKIE_SAMESITE. For PHP, update session.cookie_secure, session.cookie_httponly, and session.cookie_samesite in php.ini or at runtime.

FAQ

Frequently asked questions

Is this cookie checker free?+

Yes, completely free. No signup or credit card required. Check any public domain's cookie security attributes instantly.

Why does it show no cookies?+

Some sites only set cookies after login, consent, or JavaScript execution. This tool checks cookies set in the initial HTTP response. If a site relies on JavaScript-based cookie setting, those cookies will not appear in this scan.

What is the best SameSite value?+

SameSite=Strict offers the strongest CSRF protection but can break legitimate cross-site navigation (e.g., following a link from an email). SameSite=Lax is the recommended default -- it blocks cross-site POST requests while allowing safe top-level navigation. SameSite=None requires the Secure flag and allows all cross-site requests.

How is this different from a headers checker?+

The headers checker analyzes HTTP response headers like Content-Security-Policy and X-Frame-Options. This cookie checker specifically examines the security attributes of individual cookies (Set-Cookie headers). Both are important for a complete security picture. CQwerty Shield's full scan covers both.

FULL SECURITY AUDIT

Cookie Security Checker is just the start.

CQwerty Shield checks SSL, DMARC, SPF, DNS, HTTP headers, WHOIS, breach intel, and more — with CVE/KEV cross-references on every finding.

Free full scan — no signup