edx.orgCookie Security Checker
Check session cookies for HttpOnly, Secure, SameSite flags and other security attributes.
Last checked: Mar 19, 2026, 03:00 AM UTC
76/100
Grade BScan Results
Cookie Security Score76/100
0
Critical
1
High
1
Medium
3
Passed
Common Cookie Security Issues
- Missing HttpOnly flag on session cookies
- Missing Secure flag (cookie sent over HTTP)
- Missing SameSite=Lax or Strict (CSRF risk)
- Overly broad Domain scope
- Persistent session tokens that never expire
What This Check Covers
Session cookies are the keys to your users' accounts. A cookie without the HttpOnly flag can be stolen via XSS. A cookie without the Secure flag can be transmitted over HTTP. A cookie without the SameSite flag is vulnerable to CSRF attacks. All three flags should be set on every authentication cookie.
- HttpOnly flag (prevents JavaScript access)
- Secure flag (HTTPS-only transmission)
- SameSite attribute (CSRF protection)
- Cookie prefix (__Secure- and __Host-)
- Cookie expiry / session vs persistent
- Path and Domain scope
Why it matters
Session cookies without proper flags are the most common vector for account takeover. HttpOnly prevents cookie theft via XSS; Secure prevents transmission over HTTP; SameSite prevents CSRF. All three take 5 minutes to add.