Liveapishipped May 17, 2026v1.0.0

Cookie Inspector

Name: Cookie Inspector
Author: Eko

Parse and inspect Set-Cookie headers from HTTP responses. Visualize cookie attributes including domain, path, expiry, Secure, HttpOnly, SameSite flags. Detect potential security issues like missing Secure flag on sensitive cookies or overly broad domain scoping.

cookiehttpsecuritysessioninspector

paste Set-Cookie or Cookie header(s)

session_idsize: 126B

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.signature

Path: /

Max-Age: 3600s

SameSite: Strict

Secure: yes

HttpOnly: yes

✓ Secure flag set

✓ HttpOnly set (JS can't read)

✓ SameSite=Strict

ℹ Value looks like a JWT — try the JWT Decoder

csrf_tokensize: 76B

a8f5f167f44f4964e6c998dee827110c

Path: /

SameSite: Strict

Secure: yes

HttpOnly: no

✓ Secure flag set

⚠ Missing HttpOnly — accessible via document.cookie (XSS risk)

✓ SameSite=Strict

✗ Auth-style cookie without HttpOnly — high XSS risk

tracking_idsize: 70B

abc123def456

Domain: .example.com

Path: /

Max-Age: 2592000s

Secure: no

HttpOnly: no

✗ Missing Secure flag — cookie sent over HTTP

⚠ Missing HttpOnly — accessible via document.cookie (XSS risk)

⚠ Missing SameSite — defaults vary by browser

🔒 Cookies parsed locally. Auth cookies should always have Secure + HttpOnly + SameSite.