What does the Secure flag do?

"**Send this cookie ONLY over HTTPS**". Without it the cookie travels in clear text over HTTP - anyone on the same Wi-Fi can intercept it ([[MITM attack||Man in the Middle - someone between you and the server can read and modify your traffic]]). Today every session cookie SHOULD have Secure.

What does HttpOnly do?

"**Do not give this cookie to JavaScript**". `document.cookie` will not see it - the browser sends it in headers automatically, but page scripts have no access. Protects against session theft via [[XSS||Cross-Site Scripting - an attack where a malicious script on a page steals user data]]: even if an attacker injects a script, they cannot steal the session ID.

What does SameSite do?

It controls **when the browser sends the cookie on cross-site requests**. **Lax** (default) = sent on top-level navigation but not on cross-site POST. **Strict** = only on same-site requests. **None** = always sent (requires Secure). Protects against [[CSRF||Cross-Site Request Forgery - an attack where a foreign page triggers a request to another site on your behalf, e.g. a money transfer]].

Why does SameSite=None require Secure?

Since 2020 **all major browsers** reject a cookie with `SameSite=None` if it does not have the `Secure` flag. The logic: if you allow cross-site sending, you MUST do it only over HTTPS - otherwise a network attacker trivially intercepts. Our parser flags this case.

Why prefer Max-Age over Expires?

**Max-Age** is a number of **seconds from now** - no need to know the current date or timezone. **Expires** is an **absolute GMT date**. Max-Age is easier to compute and resilient to clock skew. All modern browsers understand Max-Age. If you set both, **Max-Age wins** (RFC 6265).

What are Partitioned cookies (CHIPS)?

**Cookies Having Independent Partitioned State** - a new standard in Chrome (and other browsers) where a cookie embedded in an iframe (e.g. a widget) is **partitioned by the top-level site**. Traditionally the same tracker collected data across many sites - with CHIPS each top-level site has its own, independent bucket. Flag: `Partitioned`.

What does Priority mean on a cookie?

**A Chrome-only extension**: when the browser **approaches the per-domain cookie limit**, it evicts Low first, then Medium, then High. Set High for critical cookies (session, CSRF token), Low for cosmetic ones (theme preference). Other browsers ignore it.

What does a leading dot before a domain (.example.com) mean?

A leading dot meant "**and all subdomains**". `.example.com` = www.example.com, api.example.com, blog.example.com. Without the dot = **only that exact host**. Modern browsers treat both forms the same way - `example.com` in the attribute also covers subdomains.

Which attributes are mandatory?

**None** - just `name=value` is enough (you get a "session cookie", alive until the browser closes). But for a secure login, the **recommended minimum** is: `name=value; Secure; HttpOnly; SameSite=Lax; Path=/; Max-Age=...`. That is exactly what "Secure defaults" inserts.

Cookie parser and builder - free

Paste Cookie or Set-Cookie

Parsed cookies (4)Set-Cookie

session_id
Value
abc123def456
Expires
5/13/2027, 9:14:22 AMin 359d
Path
/
Domain
.example.comsubdomains
Secure HttpOnlySameSite=LaxPriority=High
- Domain starts with a dot (.example.com) - cookie shared across all subdomains.
csrf_token
Value
xY9z-K3qP_aB
Lifetime
Session (until browser closes)
Path
/
Secure HttpOnlySameSite=Strict
- No HttpOnly - cookie accessible via JavaScript (document.cookie), exposed to XSS.
tracker
Value
ga_99887766
Max-Age
86400sin 1d
Path
/
Secure HttpOnlySameSite=None
- SameSite=None requires Secure - the browser will reject this cookie.
- No Secure flag - cookie sent over HTTP is vulnerable to MITM interception.
- No HttpOnly - cookie accessible via JavaScript (document.cookie), exposed to XSS.
cart
Value
item-001%2Citem-002
Max-Age
604800sin 7d
Path
/cart
Secure HttpOnlySameSite -
- No Secure flag - cookie sent over HTTP is vulnerable to MITM interception.
- No SameSite - browsers default to Lax, but it is safer to set it explicitly.

Cookie / Set-Cookie header parser and builder

Cookies are the standard way to keep a session and user preferences in the browser. The Cookie header (browser to server) and the Set-Cookie header (server to browser) look similar, but Set-Cookie has a pile of attributes: Expires, Path, Domain, Secure, HttpOnly, SameSite.

Here you can paste a header or build one from scratch. In Parse mode we break each cookie into attributes, show the expiry date ("in 3 days" / "EXPIRED") and assess security: missing Secure, missing HttpOnly, SameSite=None without Secure - you get a clear warning with description.

In Build mode you design a Set-Cookie step by step with a form: fields, dates, Apple-style switches. Secure defaults set Secure + HttpOnly + SameSite=Lax + Max-Age=24h with a single click.

How to use it

Parse: paste a full `Set-Cookie:` header (or many lines) or a `Cookie:` header - we detect both. You get a table with attributes and a security assessment.

Long values are truncated with a "Show more" link. The "Copy" button grabs the full cookie line.

Colored pills show SameSite (red=None, green=Lax, blue=Strict), Priority (Low/Medium/High) and Partitioned (CHIPS).

Build: enter a name and value, pick Max-Age or Expires (mutually exclusive), set Path, Domain, toggle Secure/HttpOnly/Partitioned, choose SameSite and Priority.

The "Secure defaults" button drops in a configuration that any auditor would approve: Secure + HttpOnly + Lax + 24h lifetime.

Copy the resulting `Set-Cookie:` and paste it into your backend response header or your cURL/HTTPie tests.

When this is useful

Real situations when working with sessions and security:

Login debugging - "why does my session not stick?". Paste the Set-Cookie header from DevTools and check if it has Secure, the right domain, whether SameSite is blocking cross-site requests.
Security audit - reviewing cookies of a legacy app, hunting for ones without HttpOnly (XSS exposed) or Secure (MITM exposed). You get the list of issues in a second.
Writing new cookies - designing a login endpoint and wanting to "do it right". "Secure defaults" shows what a Set-Cookie should look like in 2026.
cURL testing - copy a Set-Cookie header from browser DevTools, parse it, tweak, paste into a test script with `-H "Cookie: ..."`.
SameSite=Lax migration - browsers keep getting stricter. Verify your cookies are aligned with the new standard.
Cross-domain cookies - CHIPS / Partitioned cookies for embeds. Here you can see the flag is set correctly.

To inspect HTTP headers, use our HTTP headers inspector. For a headers reference, see HTTP headers reference. For HTTP status codes, use the status code reference.

Questions and answers

They are two directions: Set-Cookie is sent by the server to the browser ("remember this cookie with these attributes"). Cookie is sent by the browser to the server in every following request ("here is what I keep for you"). Set-Cookie has attributes (Expires, Path, Secure...), Cookie is just a list of name=value pairs separated by `; `.

Cookie / Set-Cookie header parser and builder

In Build mode you design a Set-Cookie step by step with a form: fields, dates, Apple-style switches. Secure defaults set Secure + HttpOnly + SameSite=Lax + Max-Age=24h with a single click.

How to use it

Parse: paste a full `Set-Cookie:` header (or many lines) or a `Cookie:` header - we detect both. You get a table with attributes and a security assessment.

Long values are truncated with a "Show more" link. The "Copy" button grabs the full cookie line.

Colored pills show SameSite (red=None, green=Lax, blue=Strict), Priority (Low/Medium/High) and Partitioned (CHIPS).

Build: enter a name and value, pick Max-Age or Expires (mutually exclusive), set Path, Domain, toggle Secure/HttpOnly/Partitioned, choose SameSite and Priority.

The "Secure defaults" button drops in a configuration that any auditor would approve: Secure + HttpOnly + Lax + 24h lifetime.

Copy the resulting `Set-Cookie:` and paste it into your backend response header or your cURL/HTTPie tests.

When this is useful

Real situations when working with sessions and security:

Login debugging - "why does my session not stick?". Paste the Set-Cookie header from DevTools and check if it has Secure, the right domain, whether SameSite is blocking cross-site requests.
Security audit - reviewing cookies of a legacy app, hunting for ones without HttpOnly (XSS exposed) or Secure (MITM exposed). You get the list of issues in a second.
Writing new cookies - designing a login endpoint and wanting to "do it right". "Secure defaults" shows what a Set-Cookie should look like in 2026.
cURL testing - copy a Set-Cookie header from browser DevTools, parse it, tweak, paste into a test script with `-H "Cookie: ..."`.
SameSite=Lax migration - browsers keep getting stricter. Verify your cookies are aligned with the new standard.
Cross-domain cookies - CHIPS / Partitioned cookies for embeds. Here you can see the flag is set correctly.

To inspect HTTP headers, use our HTTP headers inspector. For a headers reference, see HTTP headers reference. For HTTP status codes, use the status code reference.

Questions and answers

Cookie parser and builder

Cookie / Set-Cookie header parser and builder

How to use it

When this is useful

Questions and answers

Related tools

HTTP Headers Inspector

HTTP Status Codes

MIME Type Lookup

HTTP request tester

Cookie parser and builder

Cookie / Set-Cookie header parser and builder

How to use it

When this is useful

Questions and answers

Related tools

HTTP Headers Inspector

HTTP Status Codes

MIME Type Lookup

HTTP request tester