Cookie Checker & Analyser

The Secure flag ensures cookies are only sent over HTTPS connections, preventing transmission over unencrypted HTTP where attackers could intercept them via man-in-the-middle attacks.

The HttpOnly flag prevents JavaScript from accessing the cookie via document.cookie. This is critical for session cookies to mitigate Cross-Site Scripting (XSS) attacks.

Controls when cookies are sent with cross-site requests:

• Strict: Only sent for same-site requests
• Lax: Sent for top-level navigations (recommended default)
• None: Sent for all requests (requires Secure flag)

• • Always use Secure for sensitive cookies
• • Set HttpOnly unless JS access is required
• • Use SameSite=Lax as a baseline
• • Set appropriate expiration with Max-Age