ZenovayTools

Cookie Scanner

Scan any website for cookies set on page load. Check cookie attributes (HttpOnly, Secure, SameSite), classify by purpose, and assess GDPR compliance.

How to Use Cookie Scanner

  1. 1Enter the URL of any website you want to scan.
  2. 2Our scanner fetches the page and inspects Set-Cookie response headers.
  3. 3Review each cookie: name, attributes, and purpose classification.
  4. 4Fix missing security attributes and remove unnecessary tracking cookies to improve GDPR compliance.
Zenovay

Track your website performance

Real-time analytics, session replay, heatmaps, and AI insights. 2-minute setup, privacy-first.

Try Zenovay Analytics — Free

Related Tools

GA4 Health CheckerAudit your Google Analytics 4 setup for duplicate tracking, consent mode issues, deprecated UA scripts, and data layer problems.
Analytics AdvisorCompare 14+ analytics platforms on pricing, privacy compliance, features, and GDPR readiness. Find the right tool for your needs.
Privacy Policy AuditorDetect third-party scripts on your site and check if each one is properly disclosed in your privacy policy. Get a compliance score.
Privacy Law CheckerAnalyze your website to determine which privacy laws (GDPR, CCPA, LGPD, PIPEDA, APPI) apply based on audience signals.

Frequently Asked Questions

What cookies can this scanner detect?
This scanner detects cookies set via HTTP Set-Cookie response headers when your browser first loads the page. It does not detect cookies set purely by JavaScript (document.cookie) after page load, as those require executing the page's scripts.
Why do analytics and marketing cookies require consent under GDPR?
Under GDPR and the ePrivacy Directive, any non-essential cookie (analytics, marketing, personalization) requires prior, informed, freely given consent before being set. "Prior" means before the cookie is set — not after page load.
What is the HttpOnly cookie attribute?
HttpOnly prevents JavaScript from accessing the cookie via document.cookie. This protects session cookies from XSS attacks where malicious scripts try to steal authentication tokens. Always set HttpOnly on session cookies.
What is the SameSite cookie attribute?
SameSite controls whether a cookie is sent with cross-site requests. SameSite=Strict only sends the cookie for same-site requests. SameSite=Lax allows top-level navigation but blocks cross-site POSTs. SameSite=None requires Secure and allows all cross-site requests (needed for third-party cookies).
What is the Secure cookie flag?
The Secure flag tells the browser to only send the cookie over HTTPS connections. Without it, the cookie can be intercepted on HTTP connections or HTTP redirects.
What does "session cookie" mean?
A session cookie has no Max-Age or Expires attribute — it is deleted when the browser session ends (when the user closes the browser). Persistent cookies have an expiry date and survive browser restarts.
My site has 0 cookies detected — is that correct?
Possibly yes. Many cookies are set by JavaScript after page load, which this scanner cannot see. Tools like browser DevTools (Application → Cookies) show all cookies including JS-set ones. This scanner focuses on HTTP-level cookies.