SitePrivacyScore
Home/Cookies and Tracking Guide/Check Cookies on Website
Free Privacy Resource

Check Cookies on Website

Scan any URL to see which cookies are set, which ones look non-essential, and where your website may be creating consent or disclosure risk.

Use this guide to understand the issue, validate the problem manually, and run the live scanner when you are ready. Get results in under 30 seconds.

Run the scanner for this issue

The fastest way to confirm this issue on a live domain is to run the dedicated scanner. It checks the technical signal directly, then shows the finding in plain language with remediation context.

Check Website CookiesRun Full Privacy Audit

Need the full topic map first? Visit the Cookies and Tracking Guide for the related guides, tools, and supporting checks.

Why teams search for this check

Search intent around this topic usually comes from one of three pressures: a buyer or procurement questionnaire, a legal or compliance review, or an engineering team trying to validate a risky browser behavior before launch.

This page is written to answer that intent directly, without generic filler. It explains what the issue means technically, how to confirm it manually, and what a defensible fix looks like in production.

What this means

Users expect and legally demand transparency regarding what data is stored on their hardware. When site owners check cookies, they map out the complete data collection footprint of their application.

This process often reveals forgotten, outdated, or undocumented third-party integrations that silently track users long after their original business purpose has expired.

Why it matters

Failing to document and classify active cookies exposes your business to regulatory fines. Furthermore, cookies that are missing Secure or HttpOnly flags pose significant session hijacking security risks. In practice, teams usually do not lose trust because of a single configuration detail. They lose trust when the issue suggests weak governance, undocumented vendors, avoidable data sharing, or a disconnect between legal claims and live technical behavior.

What this tool specifically detects

  • Cookies placed by the page response that may be analytics-related, advertising-related, or security-sensitive.
  • Long-lived identifiers and cookie attributes that change how regulators and security reviewers interpret risk.
  • Cookie behavior that can require prior consent, updated notices, or tighter security controls.

When this becomes critical

  • You use analytics, ad tech, or multi-vendor marketing stacks.
  • The site contains login, checkout, or customer account flows.
  • You are responding to GDPR or ePrivacy concerns from customers, procurement teams, or legal counsel.

How this check works

This tool inspects the incoming `Set-Cookie` directives from the server response, illuminating the names, domains, and security attributes of all active browser storage operations.

The goal is not to create noise. The goal is to surface the signal that matters first, show you how the issue normally appears in production, and help you decide whether you need a quick fix, a deeper audit, or a broader policy update.

Real-world examples that trigger this finding

A site drops _ga and _fbp on first load even though the cookie banner says tracking is optional.

An authentication cookie is missing Secure or SameSite, raising a preventable session-handling concern.

A legacy vendor leaves behind marketing cookies long after the integration was removed from the UI.

How to manually detect this issue

  • Inspect Set-Cookie headers and the Application tab in browser DevTools after a fresh page load.
  • Separate essential session cookies from analytics or advertising identifiers.
  • Check whether cookie creation changes before and after the user interacts with the consent banner.

How to fix it

  • Classify cookies by business purpose, duration, and origin.
  • Block non-essential cookies until consent is collected and documented.
  • Apply Secure, HttpOnly, and SameSite controls to sensitive cookies where appropriate.
  • Retire unknown or obsolete cookies and update the cookie notice.

Common mistakes teams make

  • Treating all first-party cookies as exempt from disclosure or consent.
  • Ignoring cookie duration, which often reveals tracking intent.
  • Leaving security attributes inconsistent across staging, production, and subdomains.

Internal links for this topic

Use the hub page for the full topic map, then jump into the most relevant tools, guides, and related checks from the same cluster.

Cluster hub

Cookies and Tracking Guide

Free tools

Cookie scanner for websitesWebsite tracker detection tool

Learn next

Learn how cookies and tracking workLearn about cookie consent

Related checks

Check website trackersCheck website tracking scripts

More resources

PII Exposure CheckNetwork Analyzer

Related Check Guides

Frequently Asked Questions

What counts as a non-essential cookie?+
Analytics, advertising, retargeting, and many personalization cookies are usually considered non-essential because the page can function without them. Those are the ones that often create consent requirements.
Can first-party cookies still require consent?+
Yes. A cookie being first-party only means it is set on your domain. If its purpose is analytics, advertising, or profiling, it can still trigger consent obligations.
How do I verify cookies are blocked before consent?+
Test the page in a clean browser session, do not interact with the banner, and check whether cookies or tracking requests appear before the user makes a valid choice.

Scan your website now

Scan your website now

Run the dedicated tool for this issue to validate the live website quickly, then use the full SitePrivacyScore audit when you need a broader privacy review.

Check Website CookiesBrowse All Free Tools

For deeper runtime checks, run the full privacy audit →