Inspect Set-Cookie headers: security attributes, expiry, domain binding.
The Cookie Analyzer on 101IP makes an HTTP request to the given URL and inspects all Set-Cookie headers in the server response. Each cookie is checked for security attributes and warnings are displayed.
Strict â same-site only; Lax â allows top-level navigational GET requests; None â no restrictions (requires Secure).Cookies without Expires or Max-Age are session cookies â the browser deletes them when closed. Persistent cookies are stored until the specified date or Max-Age expires.
This tool only shows cookies set by the server via HTTP headers. Cookies set by JavaScript (document.cookie) are not visible. Some sites only set cookies after login â in that case, try checking the specific login page URL.
The HttpOnly flag is a cookie attribute that restricts access to the cookie from client-side scripts (JavaScript). Such cookies are not displayed in the general list because they are protected against XSS attacks, which increases the security of your website. Cookie Analyzer processes these cookies internally and uses them for its own analysis.
According to the specification, cookies with the `SameSite=None` attribute must always have the `Secure` flag, otherwise they will be rejected by the browser. This requirement is due to security reasons, as such cookies can only be transmitted over HTTPS. Cookie Analyzer highlights this for you so that you can promptly fix potential configuration errors.
Cookie Analyzer processes cookies from the current URL and all resources loaded as part of the main document request. It does not analyze cookies set by embedded third-party resources (third-party cookies) separately, as they are already included in the overall list of cookies available for the current domain. The extension focuses specifically on analyzing first-party cookies.