Free Tool

Free Cookie Security Checker

Check whether a website's cookies set HttpOnly, Secure, and SameSite. We list every cookie and the flags it is missing.

Free and instant. No account or signup needed.

What this cookie security checker tests

A cookie is a small piece of data a website stores in your browser, and it is often the thing that keeps you logged in. Because a session cookie can stand in for your password, the flags a site attaches to its cookies decide how hard those cookies are to steal or abuse. This checker fetches the live response from the URL you enter, reads the Set-Cookie headers, and shows you each cookie alongside the three flags that matter most.

The first flag is HttpOnly. When a cookie is marked HttpOnly the browser hides it from JavaScript, so a cross-site scripting payload cannot read it through document.cookie and walk away with a logged in session. Every authentication cookie should carry it. A hardened example looks like Set-Cookie: session=abc123; HttpOnly.

The second flag is Secure. It tells the browser to send the cookie only over an encrypted HTTPS connection, which keeps it off plain HTTP where a network attacker could intercept it. On any site served over HTTPS, every cookie should set it, as in Set-Cookie: session=abc123; Secure.

The third flag is SameSite. It controls whether the cookie rides along on requests started by another website. Setting it to Lax or Strict means a malicious page cannot quietly trigger an authenticated request to your site using the victim's cookie, which is the core of a cross site request forgery, or CSRF, attack. A strong combination of all three reads Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Lax.

If this checker flags a cookie as missing a flag, add the relevant attributes wherever your application sets that cookie, then re-scan to confirm. For a deeper walkthrough of choosing between Lax and Strict, the __Host- prefix, and framework specific settings, read our guide on how to secure cookies.

Frequently asked questions

What is a cookie security checker?

A cookie security checker inspects every cookie a website sets and reports whether each one uses the HttpOnly, Secure, and SameSite flags. SiteSecurityScore checks this live by scanning the URL you enter and listing the flags each cookie is missing.

What does the HttpOnly flag do?

HttpOnly tells the browser not to expose a cookie to JavaScript through document.cookie. That blocks a cross-site scripting payload from reading session cookies and stealing a logged in user's session, so it is the single most important flag for any authentication cookie.

Why does a cookie need the Secure flag?

The Secure flag tells the browser to send the cookie only over HTTPS. Without it, the cookie can travel over plain HTTP where anyone on the network path can read it. Every cookie on an HTTPS site should set Secure.

What is SameSite and how does it stop CSRF?

SameSite controls whether a cookie is sent on cross-site requests. Setting it to Lax or Strict means the cookie is not attached when another site triggers a request to yours, which removes the credential a cross site request forgery attack relies on.

Does this checker scan a live site?

Yes. Enter a URL and SiteSecurityScore fetches the live response, reads the Set-Cookie headers, and reports the flags on every cookie in seconds. No account or signup is required.

Related tools

Security Headers CheckerHow to secure cookiesAll comparisons

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan