Skip to main content
All CollectionsAudits
Cookie Inventory Report
Cookie Inventory Report
Luiza Gircoveanu avatar
Written by Luiza Gircoveanu
Updated over a week ago


The Cookie Inventory report provides insights into all cookies collected during the Audit and their respective attributes. These insights are particularly relevant in respect to security and privacy but apply more broadly as well.

In this section of the report you can see the following metrics displayed:

  • The # of pages scanned

  • The # of unique cookies

  • The # of unique 1st party cookies

  • The # of unique 3rd party cookies

  • The # of cookies with a secure attribute that equals false

  • The # of cookies with an undefined SameSite attribute

You can hover over any metric to see a tool-tip defining it and drill into any chart to see the latest run compared to all historical runs.


The Cookies table shows each unique cookie and the following attributes

  • Name

  • Domain

  • Initiators - An Initiator is the technology that sets a cookie. If the technology is identified in ObservePoint's database of tagging technologies, it will display its icon in the initiator column. You can click on any cookie in this report to see it's initiator data in more detail.

  • 1st-party cookies are directly created by the domain being visited. These cookies are set by the website you are currently on and are primarily used to enhance the user experience, remember user preferences, and track user interactions within that specific website.

  • 3rd-party cookies are created by domains that are not the domain being visited. These cookies are set by external domains, often different subdomains or entirely different websites from the one you are currently visiting. They are typically used for cross-site tracking, advertising, and analytics purposes and can collect information about your browsing behavior across multiple websites.

  • Partitioned cookies are a type of cookies that are designed to improve user privacy on the web.

    • Here's how partitioned cookies work:

      • They are stored with two keys: the regular hostname and a new partition key.

      • The partition key is based on the top-level site you were on when the cookie was set.

      • This essentially creates separate "cookie jars" for each top-level site

      • Third-party services can still set cookies on your device.

      • But those cookies can only be accessed by the same service when you're on the same top-level site where it was set.

  • Duration - Cookie duration is how long a website remembers you. It can be as short as a few seconds or as long as several years. This feature helps determine how compliant you may be with various privacy laws such as GDPR. e.g. Showing cookies with a duration of 12 months or more, which could potentially put a site out of compliance.

  • Expiration Type - This will have either session or timestamp in most cases.

  • SameSite attribute is like a rule for cookies that helps keep your web browsing safe.

    SameSite=None: If you set a cookie to SameSite=None, it can be used by other websites, but it must also be secure (HTTPS).

    SameSite=Strict: If you set a cookie to SameSite=Strict, it can only be used by the website that created it. It's the safest option against attacks.

    SameSite=Lax: If you use SameSite=Lax, the cookie can be used when you click links, but not by other websites in most cases. It's a balance between security and convenience.

  • Secure* - Indicates that the cookie is sent to the server only when a request is made with the https: scheme (except on localhost), and therefore, is more resistant to man-in-the-middle attacks.

  • HTTPONLY* - Forbids JavaScript from accessing the cookie.

  • Average Size (bytes) - Size of the cookie

  • Present on # of pages

Note: In the 1st/3rd party cookie column, we identify 3rd party "owned" cookies which are cookies that are set by a different subdomain than the subdomain currently crawled.

Cookie Initiators

A cookie initiator is a tool that helps you understand where and when a website's cookies are set. It categorizes these origins into four types: Application Code, HTTP Response Header, ObservePoint Action, or Unknown. This data is collected from various sources, like the website's code, network responses, and actions during Audits or Journeys. Knowing the initiator type and context helps you analyze and manage cookies effectively, improving your tracking and understanding of website behavior.

To access Cookie Initiators, simply click on the cookie and it will load the cookie details:

  • Name

  • Domain

  • 1st/3rd Party

  • Duration Min

  • Duration <ax

  • Expiration Type

  • Samesite

  • Secure


  • Average Site

  • Initiators - (There can be several initiators under the same cookie)

    • Initiators

    • Tag Category

    • Tag Vendor

    • Domain

    • Set Method

    • Instances

Once you have filtered to a specific set of cookies, the table below will update and allow you to drill into a Page Details report for additional analysis

Did this answer your question?