Audit Set-Cookie Security Flags Instantly

Paste a raw Set-Cookie response header below. This client-side cookie flag checker grades the Secure, HttpOnly, SameSite, Path, and expiry attributes and explains every weakness it finds — nothing leaves your browser.

--

How the cookie flag checker scores your header

The tool parses the header into a name=value pair plus its attribute list, then runs a weighted deduction model. Every cookie starts at a perfect 100 points and loses points for each missing or misconfigured protection. The weights reflect real-world attack surface:

The remaining score maps to a letter grade: A (90–100), B (75–89), C (60–74), D (40–59), and F below 40. In strict auth context the SameSite and HttpOnly penalties are amplified, because a leaked credential cookie is far costlier than a leaked analytics cookie. The grade updates on every keystroke, so you can paste a header, toggle the context, and see precisely which one flag flip moves you from a B to an A. Because all parsing and scoring run locally in vanilla JavaScript, you can safely test production session cookies without sending them to any server.

Related Tools