Developer Tools
HTTP Cookie Parser
Parse HTTP Set-Cookie and Cookie headers into a readable table. Inspect name, value, domain, path, expiry, SameSite, Secure, and HttpOnly attributes.
| Attribute | Value |
|---|---|
| Name | |
| Value | |
| Domain | - |
| Path | - |
| Expires | - |
| Max-Age | - |
| SameSite | - |
| Secure | ✗ No |
| HttpOnly | ✗ No |
HTTP cookie attributes
| Attribute | Description |
|---|---|
Name=Value | The cookie's key–value pair |
Expires | Absolute expiry date; omit for a session cookie |
Max-Age | Seconds until cookie expires (takes priority over Expires) |
Domain | Which host the cookie applies to |
Path | URL path scope (e.g., /app) |
Secure | Only sent over HTTPS |
HttpOnly | Not accessible via JavaScript (XSS protection) |
SameSite | Strict, Lax, or None (CSRF protection) |
Partitioned | CHIPS: isolated third-party cookie per top-level site |
SameSite explained
- Strict: cookie is never sent in cross-site requests. Most secure; may break OAuth redirects.
- Lax: cookie is sent on top-level navigations and GET requests from external sites. Default in modern browsers.
- None: cookie is sent in all contexts (third-party). Requires
Secureflag.
Third-party cookie deprecation
Google originally planned to deprecate third-party cookies in Chrome by 2024 but reversed
course in 2024, opting instead for a user-choice model rather than a blanket ban. Safari and
Firefox have already blocked third-party cookies by default for several years. The direction
of travel is clear: third-party cookies are a legacy technology. The Privacy Sandbox
initiative proposes replacements such as the CHIPS (Cookies Having Independent
Partitioned State) attribute, which allows third-party cookies scoped to a specific top-level site
rather than shared across all sites. Partitioned cookies use the
Partitioned attribute alongside SameSite=None; Secure.
Cookie vs. localStorage for authentication
For storing authentication tokens, cookies with HttpOnly and Secure
flags are significantly more secure than localStorage:
- HttpOnly cookies are inaccessible to JavaScript, eliminating the risk of token theft via XSS. localStorage is directly readable by any script.
- Secure flag ensures the cookie is only sent over HTTPS, preventing interception on insecure networks.
- CSRF risk: cookies are automatically included in cross-site requests,
creating CSRF vulnerability. Mitigate with
SameSite=LaxorStrictand CSRF tokens for state-changing operations.
Cookie size limits
- Per cookie: ~4,096 bytes (4 KB) including the name, value, and attributes
- Per domain: approximately 50 cookies, though this varies by browser
- Total per domain: approximately 4 KB × 50 = ~200 KB maximum, though browsers may evict older cookies when limits are reached
For larger data storage needs, use localStorage (5–10 MB) or IndexedDB.