Cookie Inspector
Parse and analyze Set-Cookie headers or page cookie dumps to surface security, scope, and privacy issues with remediation guidance. Useful for privacy, security, and ad ops teams to quickly understand cookie risks and fixes.
Paste Set-Cookie headers or Cookie request strings to analyze attributes and highlight issues.
What you can do here
- Debug missing session cookies or cross-site login issues.
- Audit tracking cookies for expiry and scope.
- Prepare compliance reports for privacy reviews.
Before you start
- Paste Set-Cookie headers or Cookie request lines.
- Use example inputs to see common patterns and edge cases.
Cookie Inspector
Parse Set-Cookie headers or Cookie request strings and surface security issues.
Parser runs locally and evaluates modern cookie requirements (SameSite, Secure, prefixes, size).
Parsed cookies
Filter by name, domain, or source.Summary
Overview of issues found.No cookies parsed yet.
About Cookie Inspector
The Cookie Inspector parses Set-Cookie headers and page cookies to display attributes like Domain, Path, Expires/Max-Age, Secure, HttpOnly, and SameSite, and flags common security and privacy issues with remediation tips.
Use it to audit cookie headers for security, privacy, and scope issues before deployment.
Best uses for Cookie Inspector
- Debug missing session cookies or cross-site login issues.
- Audit tracking cookies for expiry and scope.
- Prepare compliance reports for privacy reviews.
How to use Cookie Inspector
- Paste one or more Set-Cookie headers or Cookie request lines.
- Click Analyze to parse the cookies.
- Review parsed cookies, warnings, and suggested fixes.
What to paste in
- Paste Set-Cookie headers or Cookie request lines.
- Use example inputs to see common patterns and edge cases.
What you should see
- Parsed cookie list with attributes and warnings.
- JSON export with full attribute details.
Example checks
These are simple checks you can run when you want a real sample and a clear result to compare against.
Paste Set-Cookie headers or Cookie request lines.
Why run it: Debug missing session cookies or cross-site login issues.
What to look for: Parsed cookie list with attributes and warnings.
Use example inputs to see common patterns and edge cases.
Why run it: Audit tracking cookies for expiry and scope.
What to look for: JSON export with full attribute details.
Web Cookies Demystified: Security, Privacy, and Modern Browser Behavior
How Cookies Work in Modern Browsers
HTTP cookies are small pieces of data that web servers send to browsers for storage and return with subsequent requests. Originally designed for session management — keeping users logged in, remembering shopping cart contents — cookies have evolved to serve authentication, personalization, analytics, and advertising functions. A cookie consists of a name-value pair along with attributes that control its scope, lifetime, and security properties.
When a server sets a cookie via the Set-Cookie header, it can specify several attributes. The Domain attribute controls which domains receive the cookie. The Path attribute limits the cookie to specific URL paths. The Expires or Max-Age attribute determines how long the cookie persists. The Secure flag restricts the cookie to HTTPS connections. The HttpOnly flag prevents JavaScript from accessing the cookie, protecting against cross-site scripting attacks. The SameSite attribute controls whether the cookie is sent with cross-site requests.
Understanding these attributes is critical for security and privacy. A session cookie without the Secure flag can be intercepted on unencrypted connections. A cookie without HttpOnly is vulnerable to XSS attacks. A cookie with SameSite=None without the Secure flag is rejected by modern browsers. Each attribute represents a security decision, and misconfigured cookies are one of the most common sources of authentication failures and security vulnerabilities.
The SameSite Revolution and Third-Party Cookie Deprecation
The most significant change in cookie behavior in recent years is the enforcement of the SameSite attribute. Historically, browsers sent cookies with all requests to the cookie's domain, regardless of which site initiated the request. This behavior enabled cross-site tracking — advertising networks could set cookies from their domain and receive them back on any site that embedded their scripts, allowing them to track users across the web.
Modern browsers now default to SameSite=Lax for cookies that do not explicitly set a SameSite value. This means cookies are only sent with same-site requests and top-level navigations, effectively blocking most cross-site cookie transmission. Cookies that need to work in cross-site contexts (authentication for embedded content, advertising tracking) must explicitly set SameSite=None along with the Secure flag.
The ongoing deprecation of third-party cookies by major browsers represents the most significant shift in web advertising technology in decades. Chrome's Privacy Sandbox, Safari's Intelligent Tracking Prevention, and Firefox's Enhanced Tracking Protection all restrict or eliminate third-party cookies. For ad operations teams, understanding how these changes affect cookie behavior — which cookies are blocked, which are restricted, and which alternative mechanisms exist — is essential for maintaining functional advertising and analytics systems.
Auditing Cookies for Security and Compliance
Cookie auditing involves examining the cookies set by a website to identify security misconfigurations, privacy issues, and compliance gaps. Key checks include verifying that session cookies have the Secure and HttpOnly flags, that SameSite is set appropriately for each cookie's purpose, that cookie lifetimes are reasonable (a tracking cookie with a 10-year expiry raises privacy concerns), and that sensitive data is not stored in cookie values.
For privacy compliance under GDPR, CCPA, and similar regulations, cookie audits also verify that cookies are categorized correctly (necessary, functional, analytics, advertising) and that non-necessary cookies are not set before the user provides consent. This audit process requires parsing the actual Set-Cookie headers to see exactly what attributes are set, rather than relying on documentation that may be outdated or incomplete.
A cookie inspection tool that parses Set-Cookie headers, displays all attributes clearly, and flags common security and privacy issues provides the foundation for systematic cookie auditing. By surfacing missing Secure flags, absent HttpOnly protection, permissive SameSite settings, and excessive lifetimes in a structured report, it transforms cookie auditing from a manual, error-prone task into a guided, repeatable process.
Troubleshooting
What to look for
- Parsed cookie list with attributes and warnings.
- JSON export with full attribute details.
Common issues
- Cookie values are masked by default to avoid leaking sensitive data.
- Request cookies (Cookie header) do not include attributes.
Best practices
- Paste raw input so the tool can apply formatting consistently.
- If output looks wrong, validate the input for missing commas or tags.
- Use the example buttons above to sanity-check formatting and behavior.
Related tools
More tools in the privacy / tcf category.
- TCF String Decoder - Decode IAB TCF v2 consent strings into human-readable metadata, purposes, and vendor consent arrays. Paste a TC string from a CMP or euconsent-v2 cookie, and instantly see what it contains for QA, troubleshooting, and compliance checks. Everything runs client-side for privacy.
- Cookie Sync Visualizer - Fetch a page and list likely cookie-sync or ID-match partners based on sync-like endpoints found in HTML resources. This is a useful first pass for privacy, identity, and header bidding investigations when you need to see which third-party domains look involved in sync behavior.
- US Privacy String Decoder - Decode IAB US Privacy strings into readable notice, opt-out, and LSPA flags for CCPA and US state privacy debugging.
- Consent Cookie Inspector - Parse cookie strings for common consent and privacy signals such as euconsent-v2, addtl_consent, US Privacy, and GPP cookies so teams can see which consent artifacts are actually present.
Related reading
More specific pages for the exact jobs this tool supports.
Audit Cookie Attributes for Ad-Tech Workflows
A workflow for making Set-Cookie data understandable before it causes auth, sync, or compliance issues.
Review SameSite on Identity Cookies
A narrow cookie-attribute page for identity troubleshooting.
Check Cookie Domain Scope After a CMP Migration
A migration-focused cookie-audit workflow.
Audit Secure Flags on Ad-Tech Cookies
A security and compliance page for cookie attribute reviews.
Check Cookie Expiry on Identity Cookies
An expiry-focused workflow for identity cookie reviews.
Check Path Attributes on Ad-Tech Cookies
A path-scope workflow for ad-tech cookie debugging.
Find Likely Cookie Sync Partners on a Page
Use sync-pattern detection to focus privacy and identity reviews faster.
Decode TCF Consent for Vendor Audits
A consent-focused workflow for understanding who is allowed to do what in a TCF string.
Frequently asked questions
Is it free to use?
Yes. Core tools are free and accessible without signup.
Does it upload my data?
This tool runs locally in your browser. Data you paste or files you upload stay on your device and are not uploaded.
What if I spot a bug?
Please reach out via the Contact page with a reproduction example.
Can it read browser cookies directly?
No. Paste the Cookie or Set-Cookie header values you want to inspect.
Does it handle multiple Set-Cookie headers?
Yes. Paste multiple lines or combined headers and it will split them.
Are cookie values uploaded?
No. Parsing runs locally, and values are masked by default.
Helpful links
Standards & references
Official specs that inform how this tool interprets data.