I built a browser-only HTTP Cookie Inspector — parse Set-Cookie, security score, XSS/CSRF flags, 84 tests

HTTP cookies are everywhere in authentication, sessions, and tracking — but reading Set-Cookie headers manually is tedious. I built a free, browser-only HTTP Cookie Inspector that parses cookie strings and gives you a security analysis. 👉 https://devnestio.pages.dev/cookie-inspector/ Parse Set-Cookie strings — extract all attributes at a glance Attribute cards — name, value, expires/max-age, domain, path, Secure, HttpOnly, SameSite Security score (0–100) — +25 for Secure, +25 for HttpOnly, +25
HTTP cookies are everywhere in authentication, sessions, and tracking — but reading Set-Cookie headers manually is tedious. I built a free, browser-only HTTP Cookie Inspector that parses cookie strings and gives you a security analysis.
Live Tool
👉 https://devnestio.pages.dev/cookie-inspector/
What it does
- Parse Set-Cookie strings — extract all attributes at a glance
- Attribute cards — name, value, expires/max-age, domain, path, Secure, HttpOnly, SameSite
- Security score (0–100) — +25 for Secure, +25 for HttpOnly, +25 for SameSite≠None, +25 for expiry
- XSS/CSRF risk flags — warns when HttpOnly or SameSite is missing
- Syntax highlighted raw header — color-coded by attribute type
- Presets — session, persistent, secure+httponly, SameSite=Strict, minimal
- 100% client-side — no data leaves your browser
Cookie security flags explained
| Flag | Missing risk | Present benefit |
|---|---|---|
Secure |
Cookie sent over HTTP | Only sent over HTTPS |
HttpOnly |
JS can steal it (XSS) | Inaccessible via document.cookie
|
SameSite=Strict |
CSRF attacks possible | Never sent on cross-site requests |
SameSite=Lax |
Partial CSRF risk | Sent on top-level nav only |
SameSite=None |
Always cross-site | Requires Secure flag |
SameSite values
Set-Cookie: session=abc123; SameSite=Strict; HttpOnly; Secure
# Best practice for auth cookies
Set-Cookie: prefs=dark; SameSite=Lax
# OK for non-sensitive preferences
Set-Cookie: embed=true; SameSite=None; Secure
# Cross-site embeds (e.g. payment widgets)
Enter fullscreen mode Exit fullscreen mode
Testing
84 tests, all passing ✅
Tests cover:
- Parsing all standard attributes
- Boolean flags (Secure, HttpOnly) detection
- SameSite value classification
- Max-Age duration calculation
- Security score computation
- XSS/CSRF warning logic
- All preset templates
- HTML escaping in output
- UI elements and copy functionality
All tools at devnestio.pages.dev — free browser-only developer utilities.



