Audit Set-Cookie Security Flags Instantly
Paste a raw Set-Cookie response header below. This client-side cookie flag checker grades the Secure, HttpOnly, SameSite, Path, and expiry attributes and explains every weakness it finds — nothing leaves your browser.
How the cookie flag checker scores your header
The tool parses the header into a name=value pair plus its attribute list, then runs a weighted deduction model. Every cookie starts at a perfect 100 points and loses points for each missing or misconfigured protection. The weights reflect real-world attack surface:
- Secure (−30): without it the cookie travels over plain HTTP, exposing it to network sniffing and SSL-strip downgrades.
- HttpOnly (−25): without it any injected JavaScript can read the cookie via
document.cookie, turning an XSS into full session theft. - SameSite (−20 if absent, −12 if
Nonewithout Secure, −5 ifNone): guards against cross-site request forgery;LaxorStrictis preferred for auth. - Scope hygiene (−8): a missing
Path, an overly broad host-spanningDomain, or noExpires/Max-Ageon a long-lived cookie. - Prefix bonus: a
__Host-or__Secure-name that does not satisfy its required attributes is flagged as an outright invalid cookie the browser will reject.
The remaining score maps to a letter grade: A (90–100), B (75–89), C (60–74), D (40–59), and F below 40. In strict auth context the SameSite and HttpOnly penalties are amplified, because a leaked credential cookie is far costlier than a leaked analytics cookie. The grade updates on every keystroke, so you can paste a header, toggle the context, and see precisely which one flag flip moves you from a B to an A. Because all parsing and scoring run locally in vanilla JavaScript, you can safely test production session cookies without sending them to any server.