Encoding & Utility Tools
Cookie String Decoder
Paste raw Set-Cookie headers and get a complete
plain-English breakdown of every attribute. Missing security flags are highlighted,
tracking-style cookies are flagged, and SameSite / expiry issues are explained.
You can also inspect the cookies set by this very page.
All processing happens locally in your browser. No data is uploaded.
Paste Set-Cookie Header(s)
Cookie Security Attribute Reference
| Attribute | Effect | Missing = Risk? |
|---|---|---|
| HttpOnly | Blocks JavaScript access — prevents XSS theft | High |
| Secure | Sent only over HTTPS — prevents interception | High |
| SameSite=Strict | Never sent on cross-site requests — strongest CSRF protection | Medium |
| SameSite=Lax | Sent on safe cross-site navigation only | Low |
| SameSite=None | Sent on all cross-site requests — requires Secure | High |
| Max-Age / Expires | Controls when the cookie is deleted | Low |
| Domain | Subdomains that receive the cookie | Low |
| Path | URL prefix that triggers cookie sending | Low |
| Partitioned | CHIPS — isolates cookie per top-level site | Low |