← Home

Cookies Inspector

Scan your browser's cookies, local storage, session storage, and IndexedDB for trackers, missing security flags, oversized entries, and third-party origins — client-side only, no data sent anywhere.

What Gets Checked

  • Cookies — flags missing Secure, HttpOnly, or SameSite attributes; detects common tracker cookie patterns
  • localStorage — lists keys, value sizes, and flags oversized entries (>4 KB)
  • sessionStorage — same checks as localStorage, scoped to the current tab session
  • IndexedDB — lists database names present in your browser
  • Third-party origins — identifies storage set by domains other than the current site

Frequently Asked Questions

What's the difference between cookies, localStorage, and sessionStorage?
Cookies are small key-value pairs sent with every HTTP request — they can have expiry dates, domain scope, and security attributes like Secure and SameSite. localStorage persists indefinitely even after closing the browser and is never sent to the server automatically. sessionStorage works the same way but is wiped when you close the tab. IndexedDB is a more powerful, structured database in the browser capable of storing large amounts of data.
Why can't I see all my cookies?
Cookies marked HttpOnly are intentionally hidden from JavaScript — this security feature prevents malicious scripts from stealing session tokens. Without the Cookie Store API (Chrome/Edge only), security attributes like Secure, SameSite, and Expires are also unavailable to page code. In both cases those cookies still exist and are still sent to the server; they're just not readable by JavaScript.
Is this tool sending my cookie data anywhere?
No. Everything in this scanner runs entirely in your browser. No cookie names, values, or storage contents are transmitted to any server — not even to IP Drills. The Export JSON button creates a file locally and downloads it directly to your device.
What are tracking cookies and how do I block them?
Tracking cookies are set by advertising and analytics companies (Google, Meta, TikTok, etc.) to follow your activity across different websites. Common examples include _ga (Google Analytics), _fbp (Facebook Pixel), and fr (Facebook ad tracking). You can block them using a browser extension like uBlock Origin or Privacy Badger, or by switching to a privacy-focused browser like Firefox or Brave that blocks them by default.
What does SameSite on a cookie do?
SameSite controls when a cookie is sent with cross-site requests. Strict means it's only sent from the same site. Lax allows it on top-level navigations like clicking a link. None means it's always sent — including third-party requests, which is how cross-site trackers work. Cookies without an explicit SameSite attribute default to browser behaviour, which modern browsers treat as Lax.

Related Tools