All The Validators logoAll The Validators

web validator

Set-Cookie Header Validator

Validate Set-Cookie headers for Secure, HttpOnly, SameSite, and __Host/__Secure conventions.

Results

Paste input and validate locally.
Status
Ready when you validate.
Details
Ready when you validate.
Cookies
Ready when you validate.
Issues
Ready when you validate.

How to use this validator

  1. Paste the Set-Cookie headers.
  2. Run validate to check Secure/HttpOnly/SameSite rules and __Host/__Secure conventions.
  3. Fix flagged cookies (missing SameSite, insecure flags) and re-run.

Rules & checks

Requires Secure and HttpOnly on each cookie.

Requires SameSite with valid values (Lax, Strict, None).

Blocks SameSite=None without Secure.

Flags __Host- cookies with Domain or without Path=/ or Secure.

Inputs explained

  • Set-Cookie headers

    Paste one or multiple Set-Cookie lines. Keep secrets out; this runs locally.

When to use it

  • QA API responses for secure cookies
  • Check CDN/edge overrides on Set-Cookie
  • Support debugging auth cookie issues

Common errors

  • SameSite=None without Secure
  • Missing SameSite entirely
  • Missing Secure/HttpOnly on session cookies
  • __Host- cookies missing Path=/ or including Domain

Limitations

  • Header-level validation only; does not check actual authentication logic.
  • Does not test cookie storage/behavior in browsers.

Tips

  • Prefer SameSite=Lax for session cookies unless cross-site needed
  • Always include Secure+HttpOnly on auth cookies
  • Keep __Host- cookies on the apex host with Path=/ and no Domain

Examples

Secure cookie

  • Set-Cookie: session=abc; Secure; HttpOnly; SameSite=Lax; Path=/

Missing SameSite

  • Set-Cookie: session=abc; Secure; HttpOnly -> flagged

__Host- rules

  • Set-Cookie: __Host-id=1; Secure; HttpOnly; Path=/; Domain=example.com -> flagged

Deep dive

This Set-Cookie validator checks Secure, HttpOnly, SameSite, and __Host/__Secure rules entirely in your browser.

Use it to harden auth/session cookies from APIs or CDNs without uploading header data.

FAQs

Is this uploaded?
No. Parsing is local and clears on refresh.

Related validators

web

Security Headers SEO Validator & Public Site Hardening Checker

Validate public-site HTTP security headers for HTTPS trust, response hardening, framing protection, referrer leakage, browser permissions, and launch-readiness QA.

web

CORS SEO Validator — API Origin Trust Checker

Validate Access-Control-Allow-* response headers for public API, app, CDN, and browser trust QA before frontend launches ship.

All validation happens in your browser. No data is sent, logged, or stored.

Header-level validation only; does not check actual authentication logic.