Cookie Security Checker

Cookies often carry session identifiers, preferences, and application state. Missing cookie attributes can increase exposure if another vulnerability, network weakness, or cross-site request path is present.

• Secure helps keep cookies off cleartext HTTP requests.
• HttpOnly reduces direct JavaScript access to sensitive cookies.
• SameSite can reduce some cross-site request patterns when configured for the application flow.
• Broad domain and path settings can expose cookies to more hosts or routes than intended.

• Requests public pages and records Set-Cookie headers returned during the scan.
• Checks whether cookies include expected attributes and flags common risky combinations.
• Reports the cookie name, endpoint, and observed attributes where available.
• This is not a manual authentication test and does not prove session fixation, CSRF, or account takeover by itself.

• Session cookies missing Secure on HTTPS sites.
• Sensitive cookies missing HttpOnly.
• SameSite omitted where the application does not require broad cross-site behavior.
• Cookie Domain scoped too broadly across subdomains.
• Long-lived cookies used where shorter expiry or rotation would be more appropriate.

• Set Secure and HttpOnly on session cookies unless a specific technical reason prevents it.
• Choose SameSite=Lax or SameSite=Strict for cookies that do not need third-party context.
• Use SameSite=None only with Secure and only where cross-site embedding or identity flows require it.
• Scope Domain and Path to the narrowest practical host and route.
• Review framework defaults and edge middleware that may rewrite cookies.