Reports & Analysis

Cookie Lens includes four comprehensive reports to help you understand cookie security, privacy, expiration, and size.

Security Report

Evaluate how well your cookies are protected against attacks.

Security Scoring

Each cookie gets a security score (0-100):

• HttpOnly (33 points) — prevents JavaScript access (protects against XSS).
• Secure (33 points) — HTTPS-only transmission (prevents eavesdropping).
• SameSite (34 points) — controls cross-site sending (prevents CSRF).

Score interpretation:

• 80+ — Good.
• 60-79 — Fair.
• 40-59 — Poor.
• 0-39 — Critical.

Overall Site Score

Average security score across all cookies. Better when higher.

Per-Cookie Analysis

Each cookie shows:

• Current score and grade (Good, Fair, Poor, Critical).
• Missing protections — which flags could improve security.
• SameSite level — Strict (best), Lax (default), None (risky), or Unspecified.
• Recommendations — what to fix.

Common Issues

Missing HttpOnly:

• JavaScript can steal the cookie (XSS vulnerability).
• Use for auth tokens, sensitive identifiers.
• Disable only if the app needs to read cookies via JavaScript.

Missing Secure flag:

• Sent over unencrypted HTTP (network sniffing risk).
• Always enable on HTTPS sites.
• May be optional on localhost / dev sites.

SameSite=None:

• Sent in cross-site requests (CSRF risk).
• Only use for intentional cross-site cookies (CDNs, embed plugins).
• Requires Secure flag.

SameSite=Unspecified:

• Treated as Lax by modern browsers.
• Consider explicitly setting to Lax or Strict.

How to Improve

1. Identify cookies with low scores.
2. Click the cookie to see recommendations.
3. Edit to enable missing protections.
4. Save and verify the app still works.
5. Re-run the report to confirm improvement.

Privacy Report

Identify privacy risks and tracking concerns.

Risk Levels

Each cookie is classified as:

• High risk — multiple privacy concerns.
• Medium risk — some concerns.
• Low risk — generally safe.

Risk Factors

3rd-Party Cookies

• Set by domains other than the current site.
• Often used for tracking and analytics.
• Require user awareness and consent.

Tracker Domains

• Known analytics providers: Google Analytics, Facebook, etc.
• Known ad networks: Criteo, Taboola, etc.
• Known measurement services: Hotjar, Mixpanel, etc.

Cross-Site Cookies

• SameSite=None (sent on cross-origin requests).
• More easily tracked across sites.
• Riskier for user privacy.

Long-Lived Cookies

• Expire in > 1 year.
• May require explicit GDPR consent.
• Signal persistent tracking.

Sensitive Names

• Cookies with auth/session keywords in the name.
• May need extra protection.
• Examples: token, session, auth, credentials.

Privacy Report Sections

Summary Cards

• Total cookies by risk category.
• 3rd-party count.
• Tracker count.
• Cross-site count.
• Long-lived count.

3rd-Party Domains

List of all third-party domains with:

• Domain name.
• Count of cookies.
• Tracker badge (if known tracker).

Per-Cookie Risk Table

Each cookie shows:

• Name.
• Domain.
• Risk level with color coding.
• Clicking shows details.

How to Improve Privacy

1. Identify 3rd-party and tracker cookies.
2. Understand why they're set (analytics, ads, features?).
3. Consider blocking or limiting them.
4. Consent — ensure users have opted in.
5. Monitor — check reports regularly.

Expiry Report

Track cookie lifetimes and find expiration issues.

Expiry Buckets

Cookies are grouped by how long they live:

• Expired — already expired (should be removed).
• < 1 hour — expiring very soon.
• 1-7 days — short-term cookies.
• 7-30 days — medium-term cookies.
• 30 days - 1 year — long-term cookies.
• > 1 year — very long-term (persistent).
• Session — expires when browser closes.

Summary Statistics

• Total cookies — all cookies for the site.
• Session cookies — those that expire on browser close.
• Persistent cookies — those with explicit expiry times.
• Expired — cookies that are already expired.
• Expiring soon — cookies expiring within 1 hour.

Per-Cookie Details

Each cookie shows:

• Name and domain.
• Exact expiry time.
• Time until expiry (in readable format).
• Bucket category.
• Export in report.

Common Patterns

Auth Tokens (typically < 1 day)

• Short-lived for security.
• May use refresh tokens for longer sessions.
• Often renewed on each request.

User Preferences (typically 1-10 years)

• Long-lived since they're not sensitive.
• Improve user experience (remember settings).
• Safe to keep even after login.

Session Cookies (browser window lifetime)

• Expire immediately on browser close.
• Common for temporary session tokens.
• Good privacy practice.

Tracking Cookies (typically 1-2 years)

• Long-lived to track users across visits.
• Privacy concern.
• May require consent.

Expiry Issues to Fix

Expired Cookies

• Remove them to clean up browser storage.
• They take up space but aren't used.
• Click cookie and delete.

Too-Long Expiry

• Auth cookies > 1 week are a security risk.
• Edit to shorter lifetime.
• User has to log in more often (security) vs. less frequently (convenience).

Too-Short Expiry

• Session cookies that expire mid-use.
• Can cause unexpected logouts.
• Extend expiry or use refresh tokens.

Size Report

Optimize cookie sizes and stay within browser limits.

Cookie Limits

Per-Cookie Limit: 4,096 bytes

• Browser enforces this hard limit.
• Cookies larger than this are rejected.
• Cookie Lens warns at > 3,500 bytes.

Per-Domain Limit: ~180 cookies, ~4,000-8,000 bytes total

• Browser implementation dependent.
• Some sites hit limits with many small cookies.
• Consolidate data into fewer cookies if needed.

Practical Limit: ~2,000 bytes

• Accounting for headers and overhead.
• Safe for most browsers and proxies.
• Some corporate proxies reject larger cookies.

Size Analysis

Per-Cookie View

• Name and domain.
• Size in bytes and human-readable (KB, MB).
• Percentage of limit.
• Color coding:
  • Green — safe (< 60% limit).
  • Yellow — warning (60-85% limit).
  • Red — danger (> 85% limit).

Per-Domain View

• Domain name.
• Total size of all cookies for that domain.
• Count of cookies.
• Warnings if near limit.

Overall Statistics

• Total size of all cookies.
• Largest cookie.
• Cookie count.
• Efficiency metrics.

How to Optimize

Identify Large Cookies

• Sort by size.
• Look for unexpected large values.
• Usually indicates overly complex data.

Compress Data

• JSON can be Base64-encoded (smaller than text).
• Remove unnecessary fields.
• Use shorter field names.
• Delete old or stale data.

Split Data

• Move some data to localStorage if it doesn't need to be sent to the server.
• Use multiple cookies instead of one large one.
• But remember: more cookies increase header size.

Clean Up Expired

• Delete expired cookies (they're taking up space).
• Delete abandoned/unused cookies.
• Regularly audit cookie usage.

Example Optimization

Original cookie (4,500 bytes):

{
  "user": {"id": "123", "name": "John", "email": "[email protected]"},
  "preferences": {},
  "history": [],
  "metadata": {}
}

Issues:

• Exceeds 4,096 byte limit — rejected by browser.
• Contains redundant data.

Optimized:

{"uid":"123","p":"light","m":1234567890}

Result:

• 150 bytes (down from 4,500+).
• Fits easily within limits.
• Includes only essential data.
• Still decodable and usable.

Export Reports

All reports can be exported:

1. Click the Export button at the bottom of the report.
2. Choose format: JSON or CSV.
3. Download file with timestamp.
4. Use for:
   • Compliance documentation.
   • Team sharing.
   • Historical comparison.
   • Automated analysis.

Tips & Tricks

• Run reports regularly — set a reminder to audit monthly.
• Compare over time — export reports and look for changes.
• Focus on critical items — fix high-risk cookies first.
• Test after changes — re-run reports after editing.
• Share with team — use exports to discuss security with teammates.
• Automate monitoring — track reports across your sites.

See Also

• Inspecting Cookies — understanding attributes.
• Editing Cookies — how to fix issues found in reports.