What is the difference between Expires and Max-Age?

Expires sets an absolute expiry date in HTTP-date format, while Max-Age sets a lifetime in seconds from receipt. If both are present Max-Age wins in modern browsers. With neither, the cookie is a session cookie that is cleared when the browser session ends.

What does HttpOnly protect against?

HttpOnly hides the cookie from document.cookie and other JavaScript APIs, so a cross-site scripting (XSS) payload cannot read it. It does not stop the cookie being sent on requests; it only blocks script access, which is why session tokens should always be HttpOnly.

When must a cookie be Secure?

Secure means the cookie is only sent over HTTPS. It is mandatory for SameSite=None and for the __Secure- and __Host- name prefixes. Any cookie carrying sensitive data should be Secure so it never traverses a plaintext connection.

What do the __Host- and __Secure- prefixes do?

They are enforced naming conventions. __Secure- requires the Secure attribute. __Host- requires Secure, Path=/ and no Domain attribute, locking the cookie to the exact host that set it and preventing subdomain or path injection of look-alike cookies.

Does this tool read or set cookies?

No. It is an offline reference of attribute meanings. It does not read document.cookie or set anything.

HTTP Cookie Attributes Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

The Set-Cookie response header carries a name/value pair plus attributes that control the cookie’s scope, lifetime and security posture. Getting these right is the difference between a hardened session token and a hijackable one. This reference lists every standard attribute with its behaviour and security implications, searchable by name.

How it works

A cookie is set with Set-Cookie and returned by the browser in the Cookie request header for matching requests. Attributes after the first ; shape where and when it is sent:

Set-Cookie: __Host-session=abc123; Path=/; Secure; HttpOnly; SameSite=Lax; Max-Age=3600

Domain and Path set the scope; Expires/Max-Age set lifetime; Secure and HttpOnly restrict transport and script access; SameSite governs cross-site sending; Partitioned opts into CHIPS partitioned storage. Name prefixes __Secure- and __Host- add browser-enforced requirements.

Tips and notes

Session cookies (no Expires/Max-Age) are cleared when the browser session ends.
Always combine HttpOnly + Secure + SameSite on auth cookies.
Use the __Host- prefix to pin a cookie to one exact host and path /.
Omitting Domain scopes the cookie to the exact host — usually what you want.
Partitioned (CHIPS) keeps a cross-site cookie in a per-top-site jar, surviving third-party cookie phase-out.

HTTP Cookie Attributes Reference

Email me this result

Every knob on a Set-Cookie

How it works

Tips and notes