Cookie security check
See every cookie your site sets and whether it carries the Secure, HttpOnly, and SameSite flags — the three attributes standing between your users and session hijacking. Names only; we never read values.
The cookie is the session
Whoever holds a user's session cookie is that user — no password needed. The three flags are what decide how stealable it is: Secure keeps it off the network, HttpOnly keeps it away from scripts, SameSite keeps other sites from borrowing it. Each is one word in the Set-Cookie header, and each closes a different way of walking off with an account.
Auth libraries mostly get this right. The gaps show up in the cookies your own code sets — the quick “remember this” flag added at midnight, the analytics cookie from a snippet — which is exactly what a listing like this makes visible.
Cookies are one layer. The free report checks the rest.
Run the full scan free — security headers, TLS, DNS, exposed subdomains, email spoofing protection and more, graded A to F, with a copy-paste fix for every finding.
Cookie security, answered
What do the Secure, HttpOnly, and SameSite cookie flags do?
Why does the HttpOnly flag matter so much for session cookies?
What does SameSite=Lax vs Strict vs None mean?
Why does this checker show no cookies for my site?
Can this tool see my users' cookie values?
How do I set these flags in my framework?
one request to your site · cookie names and flags only, never values · nothing stored