Why are HttpOnly cookies not in the page list?

HttpOnly cookies are deliberately hidden from JavaScript, so document.cookie cannot read them — that is the point of the flag. To see them, paste the server's Set-Cookie header into the auditor below.

What does SameSite control?

SameSite governs whether a cookie is sent on cross-site requests. Strict blocks all cross-site sends, Lax allows top-level navigations, and None sends it everywhere — but None requires the Secure flag or browsers reject it.

Why is Secure important?

Without Secure, a cookie is transmitted over plain HTTP and can be intercepted on the network. Any cookie holding a session or auth token should always be marked Secure so it is only sent over HTTPS.

How does this help prevent CSRF?

Setting SameSite=Lax or Strict stops the browser attaching the cookie to forged cross-site requests, which neutralises many CSRF attacks. The auditor warns when a sensitive cookie has SameSite=None or no SameSite at all.

Is anything sent to a server?

No. The tool reads document.cookie and parses pasted headers entirely in JavaScript. Nothing you enter or view leaves your browser.

Cookie Inspector & SameSite Auditor

Cookies carry sessions, preferences and tracking identifiers, and their security depends on three flags: Secure, HttpOnly and SameSite. This tool lists the cookies the current page can read, and — because the most security-relevant cookies are HttpOnly and invisible to JavaScript — also parses a pasted Set-Cookie header so you can audit those flags directly.

How it works

document.cookie returns only non-HttpOnly cookies for the current origin as name=value pairs; it never exposes flags. So the page list shows what scripts can read, which is itself a useful privacy signal. For full auditing, paste a raw Set-Cookie response header. The parser splits on ;, reads Secure, HttpOnly, SameSite, Domain, Path, Max-Age and Expires, then applies rules:

SameSite=None requires Secure, or modern browsers reject the cookie.
A cookie whose name looks session/auth-like (session, sid, token, auth) should have Secure and HttpOnly.
Missing SameSite defaults to Lax in modern browsers but is worth setting explicitly.

Example

Pasting sid=abc123; Path=/; SameSite=None raises a warning: SameSite=None is set without Secure, so the cookie will be dropped and the session may break. Adding Secure; HttpOnly clears the warnings.

Notes

Everything runs locally. The auditor inspects only the text you paste — it does not make any network request and never reveals HttpOnly cookies the browser hides from scripts.