Fetching latest headlines…
I built a browser-only HTTP Cookie Inspector — parse Set-Cookie, security score, XSS/CSRF flags, 84 tests
NORTH AMERICA
🇺🇸 United StatesJuly 1, 2026

I built a browser-only HTTP Cookie Inspector — parse Set-Cookie, security score, XSS/CSRF flags, 84 tests

0 views0 likes0 comments
Originally published byDev.to

HTTP cookies are everywhere in authentication, sessions, and tracking — but reading Set-Cookie headers manually is tedious. I built a free, browser-only HTTP Cookie Inspector that parses cookie strings and gives you a security analysis.

Live Tool

👉 https://devnestio.pages.dev/cookie-inspector/

What it does

  • Parse Set-Cookie strings — extract all attributes at a glance
  • Attribute cards — name, value, expires/max-age, domain, path, Secure, HttpOnly, SameSite
  • Security score (0–100) — +25 for Secure, +25 for HttpOnly, +25 for SameSite≠None, +25 for expiry
  • XSS/CSRF risk flags — warns when HttpOnly or SameSite is missing
  • Syntax highlighted raw header — color-coded by attribute type
  • Presets — session, persistent, secure+httponly, SameSite=Strict, minimal
  • 100% client-side — no data leaves your browser

Cookie security flags explained

Flag Missing risk Present benefit
Secure Cookie sent over HTTP Only sent over HTTPS
HttpOnly JS can steal it (XSS) Inaccessible via document.cookie
SameSite=Strict CSRF attacks possible Never sent on cross-site requests
SameSite=Lax Partial CSRF risk Sent on top-level nav only
SameSite=None Always cross-site Requires Secure flag

SameSite values

Set-Cookie: session=abc123; SameSite=Strict; HttpOnly; Secure
# Best practice for auth cookies

Set-Cookie: prefs=dark; SameSite=Lax
# OK for non-sensitive preferences

Set-Cookie: embed=true; SameSite=None; Secure
# Cross-site embeds (e.g. payment widgets)

Testing

84 tests, all passing ✅

Tests cover:

  • Parsing all standard attributes
  • Boolean flags (Secure, HttpOnly) detection
  • SameSite value classification
  • Max-Age duration calculation
  • Security score computation
  • XSS/CSRF warning logic
  • All preset templates
  • HTML escaping in output
  • UI elements and copy functionality

All tools at devnestio.pages.dev — free browser-only developer utilities.

Comments (0)

Sign in to join the discussion

Be the first to comment!