Free Cookie Security Analyzer (Set-Cookie)

Analyze and grade Set-Cookie headers. Flags missing Secure, HttpOnly and SameSite, and validates __Host-/__Secure- prefixes. Free, runs in your browser.

About this tool

Cookies that carry session tokens are a prime target — and a missing flag is all it takes to expose one. This free cookie security analyzer parses Set-Cookie headers and grades them, flagging missing Secure, HttpOnly and SameSite attributes and validating the special __Host- and __Secure- name prefixes that lock a cookie to a host and to HTTPS.

Paste a Set-Cookie header and the tool explains each attribute and the risk of leaving it off — session theft over plain HTTP, theft via cross-site scripting, or cross-site request forgery. It runs in your browser, making it a fast way to verify your application sets cookies safely.

Frequently asked questions

Which cookie attributes are important for security?

Secure (only sent over HTTPS), HttpOnly (not readable by JavaScript, mitigating XSS theft), and SameSite (restricts cross-site sending, mitigating CSRF). For sensitive cookies, the __Host- prefix adds strong host-binding guarantees.

What does the __Host- prefix do?

A cookie named with the __Host- prefix is only accepted if it's Secure, has no Domain attribute and a Path of /, which binds it tightly to the exact host over HTTPS — preventing subdomain and downgrade attacks.

Is the cookie analyzer private?

Yes. It parses the Set-Cookie header you paste entirely in your browser; nothing is uploaded.