Cookie Decoder

Paste Set-Cookie response headers to decode and audit security attributes.

Set-Cookie header(s) - one per line

Examples:

How it works

HttpOnly - prevents JavaScript from accessing the cookie, mitigating XSS-based session theft.

Secure - cookie is only sent over HTTPS connections.

SameSite=Strict - cookie never sent in cross-site requests, strongest CSRF protection. Lax - sent on top-level navigations only. None - sent in all contexts, requires Secure.

Domain / Path - restrict the scope of the cookie to specific hosts and URL paths.

Max-Age / Expires - session cookies (no expiry) are deleted when the browser closes; persistent cookies survive.

Partitioned (CHIPS) - cookie is partitioned per top-level site, used for third-party cookies in privacy-preserving contexts.

Security note

Session cookies should always have HttpOnly + Secure + SameSite=Lax at minimum. SameSite=None requires Secure. Missing HttpOnly enables XSS-based session theft via document.cookie.

View source Report issue