Bulk up to 100 • Set-Cookie headers • Security flags

Cookie Checker

Paste URLs — we’ll follow redirects and read Set-Cookie headers to list cookie names and common issues.

Paste up to 100 URLs/domains (one per line)
Tip: This reads response headers only. Sites may set additional cookies after JS actions or consent banners.

Results

Host Cookies HTTP Hops Time Issues
Run a check to see results here.
Missing Secure or SameSite can break sessions or weaken security.

Quick interpretation

Cookies affect security, privacy, and login stability.

  • OK cookies look reasonable
  • Warning missing flags, no cookies, too many
  • Error fetch errors, loops, HTTP 4xx/5xx
Headers inspection

Cookie Checker: verify Set-Cookie flags and basics

Cookies are set via HTTP response headers. If security flags are missing, sessions can be less protected and modern browsers may reject some cookies. This tool checks Set-Cookie headers in bulk, follows redirects, and highlights common problems like missing Secure, HttpOnly, or SameSite.

Common problems

  • SameSite=None without Secure is often blocked by browsers.
  • Missing Secure on HTTPS can expose cookies on downgraded requests.
  • Too many cookies can bloat requests and slow pages.

FAQ

What does this Cookie Checker test?

It reads Set-Cookie response headers (after redirects) and reports cookie names plus common security flags: Secure, HttpOnly, and SameSite.

Does it detect cookies set by JavaScript?

No. This tool checks server headers only. Cookies created by JavaScript or consent flows may not appear unless they are returned in the initial HTTP response.

Why can it show “no cookies set” for a website?

Many sites set cookies only after a login, form submit, consent banner action, or additional requests. A homepage hit may legitimately return zero Set-Cookie headers.

What does “missing Secure” mean?

On HTTPS pages, cookies without Secure can be exposed on downgraded or mixed requests. Secure cookies are sent only over HTTPS, which is usually preferred for auth/session cookies.

Is missing HttpOnly always a security issue?

Not always. Some cookies are intentionally readable by JavaScript (e.g., UI preferences). But for session/auth cookies, HttpOnly is typically recommended to reduce XSS impact.

Why is “SameSite=None without Secure” flagged?

Modern browsers often reject SameSite=None cookies unless Secure is present. This can break cross-site logins, SSO, and embedded flows.

What are “session cookies” in this report?

Cookies without Expires or Max-Age. They usually expire when the browser session ends.

Why is “many cookies” a problem?

Too many cookies increase request header size, can slow down page loads, and may cause headers to exceed limits on some servers/CDNs. Consolidation often improves performance and reliability.