Overall Hygiene

This check is informational and does not affect your score (weight 0). It is a roll-up of secondary cookie-hygiene signals that overlap with the three scored audits (Secure, HttpOnly, SameSite). Reporting them here as advisory keeps the scored audits focused on individual attributes while still surfacing the broader hygiene picture in one place.

How the check works

Per primary host, the check parses every cookie and looks for seven independent signals. Each one that fires becomes an advisory finding in the evidence; none affect the score directly.

• COOKIE_HYGIENE_TOO_MANY: more than 15 cookies on first response. Each cookie is attack surface, tracking surface, and per-request bytes; large numbers usually mean third-party drift over time.
• COOKIE_HYGIENE_SCOPE_BROAD: a session cookie set with Domain=.yourdomain.tld (parent-domain scope) instead of host-only. Parent-domain scope leaks the cookie to every subdomain, including subdomains you may not control as tightly as the apex.
• COOKIE_HYGIENE_PREFIX: session cookies do not use __Host- or __Secure- prefixes. These prefixes are self-policing safety nets enforced by the browser and prevent several classes of cookie-injection attacks.
• COOKIE_SESSION_STRICTNESS_GAP: at least one session cookie is missing one of Secure, HttpOnly, or SameSite. The three scored audits each catch their own attribute; this one fires when there is inconsistency across cookies set by the same host.
• COOKIE_SESSION_LIFETIME_LONG: a session cookie has lifetime longer than 7 days. Long sessions extend the impact of any token theft and outlive most reasonable "forgot to log out" recovery windows.
• COOKIE_TRACKING_LIFETIME_LONG: a tracker cookie has lifetime longer than 180 days. Most privacy frameworks (GDPR, CCPA) push toward shorter retention; modern browsers (Safari ITP, Firefox ETP) cap most tracker cookies at 7 days regardless of what you set.
• COOKIE_TRACKER_BEFORE_CONSENT: tracker cookies were observed without any consent cookie also present. In jurisdictions with prior-consent requirements (most of the EU and EEA), setting trackers before recording consent is a regulatory issue.

How to use this check

Treat each surfaced finding as an audit prompt. The scored fix lives in the relevant individual check; this page is for context.

TOO_MANY: trim cookie volume

Audit which cookies are actually needed. After every third-party tool migration, stale cookies linger. Common bloat sources: A/B testing platforms, analytics platforms removed but their JS still includes cookie-setting code, abandoned consent management platforms, deprecated marketing pixels.

SCOPE_BROAD: use host-only cookies

Set cookies without a Domain attribute, or with Domain explicitly equal to the host (no leading dot). A cookie set on yourdomain.tld with no Domain attribute is sent only on requests to yourdomain.tld. Setting Domain=.yourdomain.tld broadcasts to every subdomain, multiplying the blast radius of any subdomain takeover.

PREFIX: use __Host- or __Secure-

• __Host- prefix: cookie name must start with __Host-. Browser enforces Secure, no Domain attribute, Path=/. The strictest cookie shape; ideal for session cookies.
• __Secure- prefix: cookie name must start with __Secure-. Browser enforces Secure. Useful when you need a Domain attribute (cross-subdomain auth) but still want self-policing.

STRICTNESS_GAP: be consistent across session cookies

If you set multiple cookies that all participate in session state (auth + CSRF + remember-me), apply Secure + HttpOnly + SameSite consistently across all of them. Inconsistency suggests one was added in a hurry without matching the established pattern.

SESSION_LIFETIME_LONG: shorten session lifetimes

Most apps set Expires/Max-Age on the session cookie matched to the desired session length. 7 days is a reasonable default for low-sensitivity apps; high-sensitivity apps (banking, healthcare, admin panels) typically run hours or less, with renewal on activity. Long sessions extend the window during which a stolen token is useful.

TRACKING_LIFETIME_LONG: shorten tracker lifetimes

Modern browsers cap tracker cookies regardless of what you set (Safari Intelligent Tracking Prevention, Firefox Enhanced Tracking Protection). Setting Max-Age beyond 180 days does not actually extend the cookie on those browsers and signals retention behavior that does not match modern privacy norms. Bring lifetimes down.

TRACKER_BEFORE_CONSENT: gate trackers on consent

Use a consent management platform (CMP: Cookiebot, OneTrust, Cookieyes, Axeptio, Didomi, Usercentrics, Osano, TrustArc, etc.) and configure it to gate non-essential cookies behind explicit user opt-in. Trackers should not fire until consent is recorded. The check looks for a consent cookie alongside trackers; if there are trackers but no recognized consent cookie, the consent step is likely missing.

Verify

• Open the page in DevTools → Application → Cookies. Walk the list and check each cookie's name, Domain, Path, Secure, HttpOnly, SameSite, and Expires.
• curl -sI -c /dev/null https://yourdomain.tld | grep -iE 'set-cookie' shows the raw Set-Cookie headers your server returns on first response.
• Re-run the RedScore lookup. The scored cookie checks update with the changes; this informational check shows updated findings.

For the scored individual cookie checks (Secure, HttpOnly, SameSite), see their dedicated fix pages. The findings here are advisory; remediation is under those.