Is Cookie Security Inspector free to use?

Cookie Security Inspector is part of the open-source DebugTools toolkit and the core browser workflow is free to use.

Does Cookie Security Inspector send my data to a server?

Cookie Security Inspector is local-first. The core workflow runs in your browser and does not require sending pasted content to DebugTools servers.

tools / cookie-security

Cookie Security Inspector

Inspect Set-Cookie headers for SameSite, Secure, HttpOnly, domain/path scope, expiry, and auth-session risks.

P1Auth / SecurityHigh severity

100

debug signal score

4 signals

4 signals detected. Start with httponly missing.

Detected signals

HttpOnly missing

A cookie may be readable from JavaScript.

Add HttpOnly to session cookies unless client-side access is required.

Secure missing or SameSite=None risk

Cross-site cookies need Secure and session cookies should be HTTPS-only.

Add Secure and verify HTTPS is used in every environment that sets the cookie.

Broad cookie domain

The cookie applies to all subdomains.

Narrow Domain and Path unless cross-subdomain auth is required.

Third-party cookie issue

Browser cookie policy may block auth in cross-site contexts.

Use SameSite=None; Secure where appropriate and consider token handoff alternatives.

Highlighted lines

line 1

Set-Cookie: session=abc; Path=/; SameSite=None

HttpOnly missingSecure missing or SameSite=None riskThird-party cookie issue

line 2

Set-Cookie: csrf=def; Domain=.example.com

HttpOnly missingSecure missing or SameSite=None riskBroad cookie domain

line 3

Chrome blocked third-party cookie

Third-party cookie issue

Fix checklist

Add HttpOnly to session cookies unless client-side access is required.

Add Secure and verify HTTPS is used in every environment that sets the cookie.

Narrow Domain and Path unless cross-subdomain auth is required.

Use SameSite=None; Secure where appropriate and consider token handoff alternatives.

Classify each cookie as session, CSRF, preference, or analytics.

Verify Secure, HttpOnly, SameSite, Domain, Path, and expiry.

Test in the browser where the failure occurs.

DebugTools product

Cookie Security Inspector is a focused DebugTools mini-product for developers. Inspect Set-Cookie headers for SameSite, Secure, HttpOnly, domain/path scope, expiry, and auth-session risks.

Use cases

Inspect auth, token, header, certificate, cookie, and policy clues safely.
Find configuration mismatches before sharing logs or screenshots.
Turn security evidence into a practical fix checklist.

How it works

Paste or load the snippet you want to inspect in Cookie Security Inspector.
Run the tool in the browser and review the highlighted output.
Copy, export, or turn the result into the next debugging step.

Privacy

Cookie Security Inspector is local-first. The core workflow runs in your browser and does not require sending pasted content to DebugTools servers.

This tool history

Recent Cookie Security sessions

Only visits for this tool are shown. Pasted content, tokens, request bodies, and logs are not stored here.

Loading this tool history...