Free Cookie Security Checker
Cookies without the right flags leak sessions to cross-site scripting and open the door to CSRF. We inspect every cookie your site sets and check for the Secure, HttpOnly, and SameSite attributes, flagging session and auth cookies as higher risk. We only ever read cookie names, never their values.
Secure Flag
Ensures cookies are only sent over HTTPS so they can't be stolen over plain-text connections.
HttpOnly Flag
Without HttpOnly, JavaScript (and any XSS payload) can read the cookie, critical for session tokens.
SameSite
Flags missing or unsafe SameSite settings (including SameSite=None without Secure) that expose you to CSRF.
Why cookie flags matter
A session cookie without HttpOnly can be exfiltrated by a single XSS bug, leading to full account takeover. Missing Secure exposes it on any HTTP request, and a missing SameSite attribute leaves you open to cross-site request forgery.
Cookies that already set all three attributes correctly are reported as secure.
Frequently Asked Questions About Cookie Security
What is a cookie security checker?
A cookie security checker inspects the cookies a website sets and reports whether each one uses the recommended protective attributes: Secure, HttpOnly, and SameSite. Missing flags can expose session cookies to theft via cross-site scripting or leave the site open to cross-site request forgery (CSRF).
What do the Secure, HttpOnly, and SameSite flags do?
Secure tells the browser to send the cookie only over HTTPS, so it cannot be intercepted on plain-text connections. HttpOnly hides the cookie from JavaScript, so a cross-site scripting payload cannot read it. SameSite controls whether the cookie is sent on cross-site requests, which mitigates CSRF; SameSite=None must always be paired with Secure.
Why is HttpOnly so important for session cookies?
A session or authentication cookie without HttpOnly can be read by any JavaScript running on the page, including an injected XSS payload. That lets an attacker steal the session token and take over the account. Our checker treats session-like cookies (names containing sess, sid, auth, token, jwt, and similar) as higher risk when these flags are missing.
Does the checker read my cookie values?
No. We only ever read cookie names and their security attributes, never the values. The cookie value itself is never captured, stored, or displayed.
Is the cookie security checker free?
Yes, it is free with no registration. For a wider audit that also covers CORS, Content-Security-Policy effectiveness, full security headers, and SSL/TLS, run a full ScanTower scan from the link below.
Want the Complete Picture?
FREEThis Cookie Security Check is great for a quick check, but our Full Security Scan gives you a comprehensive security audit in one go.