My cookies are set after I log in — can you check those?

We only see cookies set on your homepage (pre-login). For authenticated cookie checks, use your browser's DevTools → Application → Cookies after logging in.

Are cookies without Secure always bad?

On an HTTPS site, yes. On an HTTP-only site, Secure would prevent the cookie from being sent at all. Since every site should be HTTPS, every cookie should have Secure.

Free tool

Free Cookie Security Audit

Check Secure, HttpOnly, and SameSite flags on every cookie.

Free. No account. Results in under 60 seconds.

What it checks

Every check, explained

01Secure flag — cookie only sent over HTTPS?
02HttpOnly flag — blocked from JavaScript access?
03SameSite attribute — Lax, Strict, or None?
04Path and domain scope — too broad or just right?
05Expiry / Max-Age — session cookie or persistent?

Why it matters

Why you should care

Session cookies are the most-stolen secret on the web. A cookie missing HttpOnly can be read by XSS. A cookie missing Secure can be intercepted on public Wi-Fi. A cookie missing SameSite can be used in CSRF. These three flags stop most attacks on authentication.

How it works

What happens when you paste a URL

We load your URL and read Set-Cookie response headers. For each cookie, we show exactly which flags are set. No cookies from our side are sent, and we never attempt to read cookie values.

FAQ

Frequently asked questions

My cookies are set after I log in — can you check those?: We only see cookies set on your homepage (pre-login). For authenticated cookie checks, use your browser's DevTools → Application → Cookies after logging in.
Are cookies without Secure always bad?: On an HTTPS site, yes. On an HTTP-only site, Secure would prevent the cookie from being sent at all. Since every site should be HTTPS, every cookie should have Secure.

Fix guides

If this check fails, here is what to do

Cookie missing Secure flag

Cookies without the Secure flag can be sent over HTTP, leaking session tokens to anyone on the same network. Here is how to set it.

Cookie missing HttpOnly

HttpOnly stops JavaScript from reading a cookie, which is critical for session tokens. Here is when and how to set it.

Cookie missing SameSite

SameSite controls whether cookies are sent on cross-site requests — the main defense against CSRF. Here is how to set it.

More free tools

Related checkers

Security headers checker

Check CSP, HSTS, X-Frame-Options, and more in seconds.

Glossary

Learn the concepts

SameSite Cookie Attribute

SameSite controls whether the browser sends your cookie on cross-site requests. The main defense against CSRF.

Cross-Site Request Forgery

CSRF tricks a logged-in user into performing actions on your site without realizing. SameSite cookies are the modern defense.