Cookie Inventory Report


The Cookie Inventory report provides insights into all cookies collected during the audit and their respective attributes. These insights are particularly relevant in respect to security and privacy, but apply more broadly as well.

In this section of the report you can see the following metrics displayed:

  • The # of pages scanned
  • The # of unique cookies
  • The # of unique 1st party cookies
  • The # of unique 3rd party cookies
  • The # of cookies with a secure attribute that equals false
  • The # of cookies with an undefined SameSite attribute

You can hover over any metric to see a tool-tip defining it and drill into any chart to see the latest run compared to all historical runs.


The Cookies table shows each unique cookie and the following attributes

  • Name
  • Domain
  • 1st-party cookies are directly created by the domain being visited. These cookies are set by the website you are currently on and are primarily used to enhance the user experience, remember user preferences, and track user interactions within that specific website.
  • 3rd-party cookies are created by domains that are not the domain being visited. These cookies are set by external domains, often different subdomains or entirely different websites from the one you are currently visiting. They are typically used for cross-site tracking, advertising, and analytics purposes and can collect information about your browsing behavior across multiple websites.
  • Expiration Type - This will have either session or timestamp in most cases.
  •  SameSite attribute is like a rule for cookies that helps keep your web browsing safe.

    SameSite=None: If you set a cookie to SameSite=None, it can be used by other websites, but it must also be secure (HTTPS).

    SameSite=Strict: If you set a cookie to SameSite=Strict, it can only be used by the website that created it. It's the safest option against attacks.

    SameSite=Lax: If you use SameSite=Lax, the cookie can be used when you click links, but not by other websites in most cases. It's a balance between security and convenience.

  • Secure* - Indicates that the cookie is sent to the server only when a request is made with the https:  scheme (except on localhost), and therefore, is more resistant to man-in-the-middle attacks.
  • HTTPONLY* - Forbids JavaScript from accessing the cookie.
  • Average Size (bytes) - Size of the cookie
  • Set on # of pages

*Source - Mozilla Developer Network

Note: In the 1st/3rd party cookie column, we identify 3rd party "owned" cookies which are cookies that are set by a different subdomain than the subdomain currently crawled.

Once you have filtered to a specific set of cookies, the table below will update and allow you to drill into a Page Details report for additional analysis.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us