Why does SameSite=None need Secure?

Chromium rejects SameSite=None cookies that aren't also Secure — it's the cookie spec's way of forcing third-party cookies onto HTTPS only, where they can't be sniffed by network attackers.

What is the Partitioned attribute?

Partitioned (CHIPS) tells the browser to scope a third-party cookie per top-level site. Without it, Chrome's third-party-cookie phase-out blocks the cookie entirely; with it, your embed still works but each parent site sees its own jar.

Cookie / Set-Cookie Header Builder

Network

Builds the `Set-Cookie` header browsers will accept, ordered the way the spec recommends and with every attribute named correctly (PascalCase, no trailing semicolon). Presets cover the four shapes you write 90% of the time: a short-lived session cookie, a longer 'remember me', a third-party embed cookie (SameSite=None + Secure + Partitioned), and a strict CSRF token. The tool also warns about the footguns that bite people the most — SameSite=None without Secure, leading dots on Domain, and HttpOnly on cookies you'll need from JavaScript.

—

Presets

NameValueDomain (optional)Path

Expiry

SameSite

Secure (HTTPS only)HttpOnly (no JS access)Partitioned (CHIPS, per top-level site)

Set-Cookie header

Set-Cookie: session=abc123; Path=/; SameSite=Lax; Secure; HttpOnly

Emit this on a response. The browser stores the cookie; the next request to the matching domain+path sends `Cookie: name=value` automatically.

How to use

Start from the preset closest to your use case and tweak from there.
For a fresh CSRF token, pick the strict preset — SameSite=Strict prevents cross-origin requests from carrying it.
Third-party embeds need SameSite=None + Secure + Partitioned to land in a Chromium browser today.

Frequently asked questions

Why does SameSite=None need Secure?: Chromium rejects SameSite=None cookies that aren't also Secure — it's the cookie spec's way of forcing third-party cookies onto HTTPS only, where they can't be sniffed by network attackers.
What is the Partitioned attribute?: Partitioned (CHIPS) tells the browser to scope a third-party cookie per top-level site. Without it, Chrome's third-party-cookie phase-out blocks the cookie entirely; with it, your embed still works but each parent site sees its own jar.

Related tools

IP Address Inspector

Type an IPv4 or IPv6 address and see its class, scope (private / public / loopback / link-local), decimal value, binary, reverse-DNS notation, and /32 CIDR.

Network00

Port Number Reference

Searchable cheat sheet for ~60 standard TCP / UDP port numbers — from 22 (SSH) and 80 (HTTP) to 6379 (Redis) and 27017 (MongoDB).

Network00

DNS Record Reference

Searchable cheat sheet for DNS record types — A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, CAA, DNSSEC, SVCB / HTTPS — with examples.

Network00

Subnet Calculator (IPv4 / CIDR)

Parse an IPv4 CIDR into network address, broadcast, netmask, wildcard, host range, and class. Shows binary breakdown and private/public status.

Network00

User Agent Parser

Parse a User-Agent string into browser, engine, OS, device, and CPU. Detects 20+ bots including GPTBot, ClaudeBot, PerplexityBot.

Network00

HTTP Status Code Reference

Searchable list of every HTTP status code (1xx-5xx) with summary, RFC, when to use, and common pitfalls.

Network00