Secure Cookie Test
Check whether response cookies use Secure, HttpOnly, and SameSite attributes.
Powered by Geekflare Website Load Time API
What Is a Secure Cookie Test?
Secure Cookie Test checks whether a page sets cookies using the Set-Cookie response header and verifies important cookie attributes such as Secure, HttpOnly, and SameSite.
Cookie Flags Checked
| Attribute | Why It Matters |
|---|---|
| Secure | Sends the cookie only over HTTPS connections. |
| HttpOnly | Prevents JavaScript from reading the cookie, reducing XSS impact. |
| SameSite | Controls whether cookies are sent with cross-site requests, helping reduce CSRF risk. |
How to Read the Results
If no Set-Cookie header is found, the page may not set cookies for anonymous visitors. Try a page or flow that actually issues cookies if you expect them.
For cookies that are found, prioritize adding both Secure and HttpOnly to sensitive cookies. SameSite=Lax is a common baseline for many sites, while SameSite=Strict is more restrictive. Cookies required in third-party contexts usually need SameSite=None; Secure.
The response header table highlights Set-cookie rows and redacts cookie values while keeping the attributes visible.
Frequently Asked Questions
The Secure flag tells browsers to send the cookie only over HTTPS connections.
HttpOnly prevents JavaScript from reading the cookie, which helps reduce the impact of cross-site scripting attacks.
SameSite controls whether cookies are sent with cross-site requests and can help reduce CSRF risk. Lax is a common default, while Strict is more restrictive.