Privacy & Security

Website Cookies

Cookies are like "Digital ID Badges" that sites give to visitors. If they aren't properly secured, someone can steal them and impersonate you.

Analyze My Cookies

Check for missing security flags instantly

01 What are Cookies?

Cookies are small files stored on your computer by websites you visit. They are mostly used to remember who you are (so you don't have to log in on every page) or to save your preferences (like Dark Mode or Shopping Cart items).

02 The "Movie Ticket" Analogy

Think of a cookie as a **Digital Ticket** for a movie:

The Login
You show your ID at the box office.

The Ticket
They give you a stub (the Cookie).

The Security
The "Flags" make the ticket harder to forge or steal.

Without security flags, anyone could grab your ticket and walk into the movie as you.

03 The 3 Levels of Protection

To keep your digital tickets safe, web developers use three main "flags":

HttpOnly

"No Peeking"

Makes the cookie invisible to suspicious scripts. This stops hackers from reading your session info via code.

Secure

"Shielded Path"

Ensures the cookie is only sent over encrypted (HTTPS) connections. It won't travel over "plain text" paths.

SameSite

"Stay at Home"

Instructs the browser only to use the cookie when you are actually on the site, preventing "Cross-Site" trickery.

04 Why Cookie Security Matters

Prevents Account Takeover

If a hacker steals your "Session Cookie," they essentially become you. They can access your account without needing your password.

Privacy Compliance

Regulations like GDPR and CCPA require you to treat user data responsibly. Mismanaged cookies can lead to privacy leaks.

05 How to set secure cookies

If you are a developer, here is how you should define your cookies in various languages:

JavaScript (Node.js/Express)

res.cookie('sessionID', '12345', {
  httpOnly: true,
  secure: true,
  sameSite: 'Strict'
});

PHP

setcookie("sessionID", "12345", [
  'expires' => time() + 3600,
  'path' => '/',
  'secure' => true,
  'httponly' => true,
  'samesite' => 'Strict',
]);

Python (Django)

# In settings.py
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SAMESITE = 'Lax'
Not sure if your cookies are safe? Run a scan on the homepage to see a full breakdown of every cookie and its security flags.

06 Frequently Asked Questions

Do cookies slow down my website?

Generally, no. Cookies are small pieces of data. However, having hundreds of large cookies can slightly increase the size of every request your browser makes.

What happens if a cookie has no 'Secure' flag?

If a cookie isn't marked 'Secure', it can be sent over unencrypted (HTTP) connections, where a hacker could easily steal it.

Why is HttpOnly so important?

HttpOnly prevents JavaScript from reading the cookie. This means even if a hacker finds a bug in your site's code (XSS), they can't 'read' the user's login session.

Is 'SameSite' required?

Yes, modern browsers now require SameSite settings. Without it, your site might be vulnerable to Cross-Site Request Forgery (CSRF) or the cookies might simply be blocked.

Safe & Sound Cookies

Protect your users' logins from hijacking.

Run a Cookie Audit