Overview
Inspect raw Set-Cookie response headers, surface effective attributes, and flag browser policy issues such as SameSite=None without Secure.
Parse raw Set-Cookie lines, expose effective attributes, and flag browser behaviors that commonly break auth and session flows.
When `Path` is omitted, the browser derives a default path from the request URL that set the cookie. That behavior is easy to overlook and can make a cookie available in fewer routes than your team expects. An explicit `Path=/` or another intentional scope is usually clearer and easier to debug.
SameSite controls whether the browser sends the cookie with cross-site requests. `Strict` blocks all cross-site sends, including top-level navigations like links from external sites. `Lax` allows cookies on safe top-level navigations but not on POST or embedded fetches — the modern browser default. `None` allows cross-site sends but requires `Secure`. Use `Lax` for most session cookies and `None; Secure` only when third-party contexts are explicitly required.
Supporting guides that connect this tool to the broader category workflow.
A debugging guide for separating browser cookie policy rejections from backend response success when auth cookies appear to vanish after login.
A concrete debugging workflow for separating malformed requests, authentication failures, permission issues, and validation errors before your team fixes the wrong thing.
A practical browser-first guide to diagnosing the most common credentialed CORS mistake: returning wildcard Allow-Origin while the frontend sends cookies or auth-bound credentials.
A practical guide to choosing the right encoding boundary for redirect_uri, nested URLs, and query parameter values before a small encoding mistake turns into a redirect bug.
What is
A Set-Cookie inspector helps you reason about what a browser will actually do with a response header, not just what the backend intended to send. Cookie bugs are often caused by one missing attribute, a confusing default path, or a cross-site policy mismatch that only appears after deployment.
By parsing each `Set-Cookie` line into a clean attribute view and attaching focused warnings, the tool makes auth and session debugging much faster during frontend-backend handoff, incident review, and local environment setup.
How to use
Paste one or more raw `Set-Cookie` header lines exactly as they appear in logs or browser devtools. The inspector splits the cookie name and value from its attributes, shows the effective flags, and warns about patterns such as `SameSite=None` without `Secure`, missing `Path`, or sensitive-looking cookies that are not `HttpOnly`.
Example
Example:
Input: `refresh_token=def456; Path=/auth; HttpOnly; SameSite=None`
The inspector highlights that `SameSite=None` is present but `Secure` is missing. In modern browsers, that usually prevents the cookie from being accepted in cross-site contexts, which can look like a random login failure if you only inspect the backend response superficially.Common use cases
1. Debugging why a login cookie is set in the response but absent in the browser store.
2. Reviewing auth cookie changes before shipping a new session strategy.
3. Comparing staging and production response headers during cross-site redirect flows.
4. Teaching teammates the practical effect of `Path`, `SameSite`, `Secure`, and `HttpOnly`.
Frequently asked questions