LET'S TALK
← All work
Security ToolPrivacyGDPROfflineDeep Prototype

Cookie Inspector — Privacy & Security Audit

Paste Set-Cookie headers and get a per-cookie security and privacy audit: Secure / HttpOnly / SameSite flags, __Host- prefix conformance, lifetime caps, and tracker classification across 26 known vendors.

Cookie Inspector — Privacy & Security Audit preview
Open live →

What it is

A cookie auditor that reads raw Set-Cookie headers and walks every cookie individually — what category it falls into, what flags it’s missing, how broadly it’s scoped, and what an attacker or a privacy regulator would object to.

  • Classification — auth/session, persistent vs session, tracker (matched against 26 known vendor patterns: GA, FB Pixel, Hotjar, TikTok, LinkedIn, Mixpanel, Segment, Amplitude, Marketo, DoubleClick, Cloudflare bot-mgmt, etc.)
  • Flag auditSecure, HttpOnly, SameSite. Auth cookies missing any of these get a critical finding with the exact exploit it enables.
  • Prefix conformance__Host- and __Secure- prefixes have hard rules (Secure required, Path must be /, no Domain). Browsers silently drop cookies that violate them. Tool detects this.
  • Scope check — domain-scoped auth cookies that spill across subdomains flagged. Single-subdomain compromise = full session compromise.
  • Lifetime — over-400-day cookies flagged (Chrome 104+ caps regardless). Auth tokens over 30 days flagged as long-impact-window-if-leaked.
  • Tracker recognition — vendor name surfaced, GDPR/CCPA implications noted.

Each cookie gets a tag strip — Auth/session, Persistent, Tracker, __Host--prefix — so the high-risk ones jump out at the top of the list.

Why a tool

Cookie audits are the area where the gap between “I know the rules” and “I check the rules” is widest. Engineers know __Host-session is better than sessionid. They know SameSite=None requires Secure. They forget all of this the moment the deploy looks green.

This tool gets pasted into the SOC2 evidence folder. The fixtures show a hardened cookie, a leaking auth cookie, a tracker-heavy site, a banking-grade setup, and a default PHP/ASP session — the five shapes you encounter in the wild.

How it ships

Single HTML file, ~19KB. Zero dependencies. The cookie parser handles the comma-split-around-Expires edge case, prefix-attribute validation, and 26 tracker patterns in 280 lines of vanilla JavaScript.

Open the tool →