Cookie Security Checker
Session cookies are the keys to your users' accounts. A cookie without the HttpOnly flag can be stolen via XSS. A cookie without the Secure flag can be transmitted over HTTP. A cookie without the SameSite flag is vulnerable to CSRF attacks. All three flags should be set on every authentication cookie.
What it checks
- ✓HttpOnly flag (prevents JavaScript access)
- ✓Secure flag (HTTPS-only transmission)
- ✓SameSite attribute (CSRF protection)
- ✓Cookie prefix (__Secure- and __Host-)
- ✓Cookie expiry / session vs persistent
- ✓Path and Domain scope
Why it matters
Session cookies without proper flags are the most common vector for account takeover. HttpOnly prevents cookie theft via XSS; Secure prevents transmission over HTTP; SameSite prevents CSRF. All three take 5 minutes to add.
Common issues found
Missing HttpOnly flag on session cookiesMissing Secure flag (cookie sent over HTTP)Missing SameSite=Lax or Strict (CSRF risk)Overly broad Domain scopePersistent session tokens that never expire
Enter a domain to check
Free, instant Cookie Security check — no account required
Other free security checkers
SSL/TLSCheck SSL certificate validity, expiry date, cipher suites, and TLS version configuration.Security HeadersCheck for Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and other critical security headers.CORSDetect CORS misconfigurations that allow unauthorized cross-origin requests to your API.DNS SecurityCheck DMARC, SPF, DKIM, DNSSEC and other DNS security records for email spoofing and phishing protection.