ToolBelt

Set-Cookie Attribute Builder

Compose a Set-Cookie header value from name, value, and attributes.

Open tool

Overview

The Set-Cookie Attribute Builder composes a complete Set-Cookie header value from name, value, and the standard attributes — Expires, Max-Age, Domain, Path, Secure, HttpOnly, SameSite, Partitioned, Priority. It shows exactly what the browser will store and how the cookie will behave across subdomains, cross-origin requests, and HTTPS.

Useful for backend developers and security engineers learning how to set a SameSite=None cookie with Secure or how to write a HttpOnly session cookie. Reach for it when auditing the cookies your app issues, hardening cross-site cookies for the modern privacy landscape, or migrating to Chrome's CHIPS Partitioned-cookie model.

How it works

The Set-Cookie header (RFC 6265) attaches a name=value plus semicolon-separated attributes. Expires is an HTTP date; Max-Age is seconds (and wins over Expires when both are set). Domain widens scope to a parent domain; absence means host-only. Path restricts to a URL path prefix. Secure requires HTTPS. HttpOnly hides from JavaScript. SameSite controls cross-site behaviour (Strict, Lax, None — None requires Secure).

The builder enforces modern requirements: SameSite=None without Secure is rejected by browsers, the __Secure- and __Host- name prefixes require specific attribute combinations, and Partitioned is the new CHIPS opt-in for cross-site cookies under privacy sandbox.

Examples

  • A session cookie → sid=abc; Path=/; HttpOnly; Secure; SameSite=Lax.
  • A persistent preference → theme=dark; Path=/; Max-Age=31536000; SameSite=Lax.
  • An embedded-widget cookie → id=xyz; Path=/; HttpOnly; Secure; SameSite=None; Partitioned.
  • A host-locked secure cookie → __Host-csrf=token; Path=/; Secure; HttpOnly; SameSite=Strict.

FAQ

SameSite Lax vs Strict?

Strict blocks the cookie on any cross-site request including top-level navigation from another site. Lax allows the cookie on cross-site GET navigation, which is what most session cookies want.

Why does SameSite=None need Secure?

To prevent insecure cross-site cookie traffic. Browsers reject SameSite=None without Secure since 2020.

What does the __Host- prefix do?

It enforces strict cookie scoping: must be Secure, must have Path=/, must not have a Domain attribute. The browser ignores the cookie if any rule is violated — defence against subdomain takeover.

When do I need Partitioned?

For cross-site cookies on third-party embeds in browsers enforcing third-party cookie blocking (CHIPS). The cookie is scoped to the top-level site rather than shared across them.

Try Set-Cookie Attribute Builder

An unhandled error has occurred. Reload ×