DEV Community

Dev Nestio
Dev Nestio

Posted on

I built a browser-only HTTP Cookie Inspector — parse Set-Cookie, security score, XSS/CSRF flags, 84 tests

HTTP cookies are everywhere in authentication, sessions, and tracking — but reading Set-Cookie headers manually is tedious. I built a free, browser-only HTTP Cookie Inspector that parses cookie strings and gives you a security analysis.

Live Tool

👉 https://devnestio.pages.dev/cookie-inspector/

What it does

  • Parse Set-Cookie strings — extract all attributes at a glance
  • Attribute cards — name, value, expires/max-age, domain, path, Secure, HttpOnly, SameSite
  • Security score (0–100) — +25 for Secure, +25 for HttpOnly, +25 for SameSite≠None, +25 for expiry
  • XSS/CSRF risk flags — warns when HttpOnly or SameSite is missing
  • Syntax highlighted raw header — color-coded by attribute type
  • Presets — session, persistent, secure+httponly, SameSite=Strict, minimal
  • 100% client-side — no data leaves your browser

Cookie security flags explained

Flag Missing risk Present benefit
Secure Cookie sent over HTTP Only sent over HTTPS
HttpOnly JS can steal it (XSS) Inaccessible via document.cookie
SameSite=Strict CSRF attacks possible Never sent on cross-site requests
SameSite=Lax Partial CSRF risk Sent on top-level nav only
SameSite=None Always cross-site Requires Secure flag

SameSite values

Set-Cookie: session=abc123; SameSite=Strict; HttpOnly; Secure
# Best practice for auth cookies

Set-Cookie: prefs=dark; SameSite=Lax
# OK for non-sensitive preferences

Set-Cookie: embed=true; SameSite=None; Secure
# Cross-site embeds (e.g. payment widgets)
Enter fullscreen mode Exit fullscreen mode

Testing

84 tests, all passing ✅

Tests cover:

  • Parsing all standard attributes
  • Boolean flags (Secure, HttpOnly) detection
  • SameSite value classification
  • Max-Age duration calculation
  • Security score computation
  • XSS/CSRF warning logic
  • All preset templates
  • HTML escaping in output
  • UI elements and copy functionality

All tools at devnestio.pages.dev — free browser-only developer utilities.

Top comments (0)