HTTP Cookie Builder & Parser
Construct or decode Set-Cookie headers with SameSite, Secure, HttpOnly, and prefix validation.
Set-Cookie header
Set-Cookie: session=abc123; Path=/; Max-Age=86400; Secure; HttpOnly; SameSite=LaxSameSite
Lax is sent on top-level navigations only — the modern default.Strict never crosses sites, even via clicks from another origin. None allows cross-site sends but requires Secure.
Host- and Secure- prefixes
A cookie named __Host-id must set Secure, no Domain, and Path=/ — browsers reject it otherwise. __Secure- just requires Secure. Both are belt-and-braces against subdomain takeover.
You might also like
- HTTP Message ParserParse a header block, raw request, or raw response into structured JSON with smart Set-Cookie / Cache-Control / Content-Type breakdowns.
- Cache-Control Header BuilderBuild HTTP Cache-Control headers with presets for static assets, APIs, and private responses.
- HTTP Status Code ReferenceSearchable reference of every HTTP status code with descriptions and category.
- Color Picker & Contrast CheckerPick colors, convert between HEX/RGB/HSL, and check WCAG contrast.