logz.ioCookie Security Checker
Check session cookies for HttpOnly, Secure, SameSite flags and other security attributes.
Last checked: Mar 18, 2026, 05:00 PM UTC
100/100
Grade A+Scan Results
Cookie Security Score100/100
0
Critical
0
High
0
Medium
1
Passed
No issues detected — Cookie Security looks good for logz.io.
Common Cookie Security Issues
- Missing HttpOnly flag on session cookies
- Missing Secure flag (cookie sent over HTTP)
- Missing SameSite=Lax or Strict (CSRF risk)
- Overly broad Domain scope
- Persistent session tokens that never expire
What This Check Covers
Session cookies are the keys to your users' accounts. A cookie without the HttpOnly flag can be stolen via XSS. A cookie without the Secure flag can be transmitted over HTTP. A cookie without the SameSite flag is vulnerable to CSRF attacks. All three flags should be set on every authentication cookie.
- HttpOnly flag (prevents JavaScript access)
- Secure flag (HTTPS-only transmission)
- SameSite attribute (CSRF protection)
- Cookie prefix (__Secure- and __Host-)
- Cookie expiry / session vs persistent
- Path and Domain scope
Why it matters
Session cookies without proper flags are the most common vector for account takeover. HttpOnly prevents cookie theft via XSS; Secure prevents transmission over HTTP; SameSite prevents CSRF. All three take 5 minutes to add.