All The Validators logoAll The Validators

web validator

Set-Cookie Header Validator

Validate Set-Cookie headers for Secure, HttpOnly, SameSite, and __Host/__Secure conventions.

Results

Processing…
Status
Processing...
Details
Processing...
Cookies
Processing...
Issues
Processing...

How to use this validator

  1. Paste the Set-Cookie headers.
  2. Run validate to check Secure/HttpOnly/SameSite rules and __Host/__Secure conventions.
  3. Fix flagged cookies (missing SameSite, insecure flags) and re-run.

Rules & checks

Requires Secure and HttpOnly on each cookie.

Requires SameSite with valid values (Lax, Strict, None).

Blocks SameSite=None without Secure.

Flags __Host- cookies with Domain or without Path=/ or Secure.

Inputs explained

  • Set-Cookie headers

    Paste one or multiple Set-Cookie lines. Keep secrets out; this runs locally.

When to use it

  • QA API responses for secure cookies
  • Check CDN/edge overrides on Set-Cookie
  • Support debugging auth cookie issues

Common errors

  • SameSite=None without Secure
  • Missing SameSite entirely
  • Missing Secure/HttpOnly on session cookies
  • __Host- cookies missing Path=/ or including Domain

Limitations

  • Header-level validation only; does not check actual authentication logic.
  • Does not test cookie storage/behavior in browsers.

Tips

  • Prefer SameSite=Lax for session cookies unless cross-site needed
  • Always include Secure+HttpOnly on auth cookies
  • Keep __Host- cookies on the apex host with Path=/ and no Domain

Examples

Secure cookie

  • Set-Cookie: session=abc; Secure; HttpOnly; SameSite=Lax; Path=/

Missing SameSite

  • Set-Cookie: session=abc; Secure; HttpOnly -> flagged

__Host- rules

  • Set-Cookie: __Host-id=1; Secure; HttpOnly; Path=/; Domain=example.com -> flagged

Deep dive

This Set-Cookie validator checks Secure, HttpOnly, SameSite, and __Host/__Secure rules entirely in your browser.

Use it to harden auth/session cookies from APIs or CDNs without uploading header data.

FAQs

Is this uploaded?
No. Parsing is local and clears on refresh.

Related validators

web

HTTP Security Headers Validator

Validate core security headers (HSTS, nosniff, frame options, referrer policy, permissions policy) entirely client-side.

web

CORS Header Validator

Validate CORS response headers locally—origins, methods, headers, credentials, and max-age.

All validation happens in your browser. No data is sent, logged, or stored.

Header-level validation only; does not check actual authentication logic.