HTTP Cookie Parser

How to use

1. Pick the direction: Cookie (request) or Set-Cookie (response).
2. Paste one or more cookies. For Set-Cookie, put one cookie per line.
3. Read off the per-cookie cards. Warnings appear on cookies the browser would reject or treat oddly.

Frequently asked questions

Why is `SameSite=None; Secure` required?

Modern browsers refuse cross-site cookies without `Secure` since Chrome 80 — if you want third-party-context cookies to be sent, the cookie must travel over HTTPS. The tool flags `SameSite=None` without `Secure` so you catch it before deploying.

What's a `__Host-` cookie?

Cookies whose name starts with `__Host-` are subject to stricter rules: the cookie must have `Secure`, must not have a `Domain` attribute, and must have `Path=/`. This makes them strongly host-scoped — convenient for first-party authentication.

Why are multiple lines needed for Set-Cookie?

An HTTP response can carry multiple `Set-Cookie` headers, but they can't be merged onto one line because each cookie's value can legitimately contain a comma (e.g. in dates). The tool follows that convention: one cookie per line.

Related tools