What does a cookie scanner check?

A cookie scanner checks which cookies a page sets, whether they use security flags like Secure, HttpOnly, and SameSite, how many appear to be tracking cookies, and whether the page exposes banner or consent-tool signals.

Does this scanner see every cookie a site might ever set?

No. This tool focuses on the initial response and page HTML. Some cookies only appear after login, interaction, consent acceptance, or client-side requests, so this is best treated as a strong first-pass audit.

Why do Secure and HttpOnly matter so much?

Secure helps prevent cookies from being sent over insecure transport, while HttpOnly reduces JavaScript access to sensitive cookies. Together with SameSite, they are some of the most important baseline cookie hardening controls.

Cookie Scanner - Audit Set-Cookie Flags, Tracking and Consent | Pacgie

Why use a cookie scanner?

A cookie scanner helps you understand what a page is setting on the very first response and whether those cookies look disciplined from a security and governance perspective. That matters because cookie behavior touches security, privacy, performance, analytics, and compliance all at once. A page can appear tidy to a normal visitor while still setting too many cookies, exposing tracking identifiers without obvious consent controls, or missing basic hardening flags such as `Secure`, `HttpOnly`, and `SameSite`.

A strong scanner therefore needs to do more than list raw `Set-Cookie` headers. It should classify likely cookie roles, show which cookies are persistent or session-based, highlight missing security attributes, and look for banner or consent-manager signals in the HTML. That makes the result useful to marketers, developers, privacy teams, and technical SEOs instead of limiting it to a low-level header dump.

How to use this cookie scanner

Enter a public URL and scan the page. The tool fetches the initial response, parses the cookies returned in `Set-Cookie`, and then checks the HTML for signals that suggest a cookie banner or consent framework. Start with the governance score and the summary cards so you can see the broad shape of the setup quickly. Then look at category counts, because they help separate essential cookies from likely analytics or marketing identifiers.

After that, move into the warnings and recommendations. A site may set only a handful of cookies but still miss `Secure` or `HttpOnly` on important session values. A different site may set many tracking cookies and still show no obvious consent signal in the initial HTML. The best use of a scanner is not to chase a perfect score for its own sake. It is to spot where security, privacy, and governance deserve a closer review.

What the results can and cannot tell you

This scanner focuses on the initial response and the first page load. That makes it fast and useful, but it also means some client-side cookies may only appear after scripts run, after a user logs in, or after consent is accepted. So the scan should be treated as a strong first-pass audit rather than a complete behavioral simulation. Even with that limitation, the initial response is often enough to catch poor cookie hygiene, overuse of persistent identifiers, and obvious gaps in security flags or consent visibility.

Free Cookie Scanner

Run a cookie governance scan

More Intel & Privacy Workflow Tools

Third-Party Script Auditor

HTTP Header Analyzer

Tech Stack Analysis

Email Header Analyzer

MX Lookup Tool

CNAME Lookup Tool

Proxy Checker

Hash Identifier

Why use a cookie scanner?

How to use this cookie scanner

What the results can and cannot tell you