About Cookie Parser

Parse Cookie / Set-Cookie header into name=value + attribute list. Part of the DevTools Surf developer suite. Browse more tools in the Web / Frontend collection.

Use Cases

• Backend developers debugging Set-Cookie headers in API responses
• Security engineers auditing cookie attributes for session management
• QA testers verifying cookie settings across different environments
• Frontend developers understanding which cookies are accessible via document.cookie

Tips

• Paste a raw Set-Cookie header to see all attributes parsed separately
• Check the SameSite and Secure flags in the parsed output for security
• Use it to compare multiple cookies from different response headers

Fun Facts

• The Set-Cookie header was first specified in RFC 2109 (1997) by Netscape, but browsers diverged so much that a new RFC 6265 was needed in 2011.
• A single Set-Cookie header can only set one cookie — to set multiple cookies, the server must send multiple Set-Cookie headers in the same response.
• The HttpOnly flag, introduced by Microsoft in IE 6 SP1 (2002), prevents JavaScript from reading a cookie, mitigating most XSS-based session theft.

FAQ

What can it parse?

Cookie headers (client-side) and Set-Cookie headers (server-side). Each cookie becomes a name=value with its attributes (Domain, Path, Expires, Secure, HttpOnly, SameSite).

Which attributes are recognized?

All standard ones: Expires, Max-Age, Domain, Path, Secure, HttpOnly, SameSite, Priority (Chrome), Partitioned (CHIPS). Plus flags not set get shown as defaults.

Does it validate attribute values?

Yes — SameSite=None without Secure is flagged, Max-Age and Expires conflicts noted, invalid domains detected. Common misconfigurations surface immediately.

What's SameSite=None?

Allows cross-site cookie use (ad tracking, embedded widgets). Required by modern browsers alongside Secure. Default SameSite=Lax blocks most cross-site use.