logo

Cookie Inspector

Free online cookie inspector. Paste a Set-Cookie or Cookie header and instantly see every attribute (HttpOnly, Secure, SameSite, expiry) broken down and explained.
logo
Paji Dev Workshop
Cookie Inspector

Cookie Inspector

Free online cookie inspector. Paste a Set-Cookie or Cookie header and instantly see every attribute (HttpOnly, Secure, SameSite, expiry) broken down and explained.
Processing

About cookies

How cookies remember you across a stateless web

HTTP is stateless, so each request stands alone. A server remembers you by sending a Set-Cookie header in its response; the browser stores it and sends it back as a Cookie header on later requests to the same site. That round trip is how logins and sessions work.

Attributes decide when and how safely a cookie travels

HttpOnly hides the cookie from JavaScript to blunt XSS. Secure keeps it to HTTPS. SameSite controls cross-site sending and is the core CSRF defense, and SameSite=None only works alongside Secure. Domain and Path scope where it applies; Max-Age and Expires decide how long it lives.

FAQ

Common questions and answers about this topic.

What's the difference between SameSite Lax, Strict, and None?

Strict never sends the cookie cross-site; Lax sends it only on top-level navigations like clicking a link; None sends it on all cross-site requests but requires Secure. Lax is the modern browser default.

What's the difference between HttpOnly and Secure?

HttpOnly stops JavaScript from reading the cookie (defense against XSS theft). Secure stops it being sent over plain HTTP (defense against network interception). They protect against different attacks, so sensitive cookies usually set both.

When does a cookie expire?

If it has neither Max-Age nor Expires, it's a session cookie and disappears when the browser closes. Max-Age (seconds from now) wins over Expires (an absolute date); a Max-Age of 0 or less deletes it immediately.

Is my cookie data sent to any server?

No. Everything is parsed entirely in your browser, and nothing you paste leaves your device.