Cookie & Privacy Hygiene

100 points total

Audits cookies set by your site for security attributes — Secure flag, HttpOnly flag, SameSite policy, session lifetime, tracking practices, and overall cookie hygiene.

Checks

Check	Weight	What it measures
Secure Flag Audit `cookie_secure_flag_audit`	34 pts	Checks whether cookies (especially session cookies) have the Secure flag set.
HttpOnly Audit `cookie_httponly_audit`	33 pts	Checks whether cookies have the HttpOnly flag to prevent JavaScript access.
SameSite Audit `cookie_samesite_audit`	33 pts	Evaluates SameSite attribute usage across cookies for CSRF protection.
Overall Hygiene `cookie_overall_hygiene`	info	Informational roll-up of cookie count, scope breadth, prefix usage, and lifetime analysis. Not scored but may generate findings.

Pass / Warn / Fail Logic

For many checks, earned points follow the verdict: full weight on pass, partial credit on some checks for warn, and none on fail. Where it matters, we spell out the points below.

Secure Flag Audit

Composite score based on proportion of cookies with Secure flag; higher penalty for session cookies.

HttpOnly Audit

Composite score; session cookies without HttpOnly are penalized more heavily.

SameSite Audit

Composite score; SameSite=None without Secure is a fail; missing SameSite is a warning.

Overall Hygiene

Informational only (weight 0). Generates advisory findings.

Findings & How to Fix Them

These are the specific findings RedScore may report for this category, along with remediation guidance.

highSession Cookie Missing SecureCOOKIE_SECURE_SESSION_MISSING

Set the Secure flag on all session cookies so they are never sent over plain HTTP.

highSession Cookie Missing HttpOnlyCOOKIE_HTTPONLY_SESSION_MISSING

Set HttpOnly on session cookies so JavaScript cannot read them (mitigates XSS token theft).

highSameSite=None Without SecureCOOKIE_SAMESITE_NONE_NO_SECURE

SameSite=None requires Secure; either add Secure or change SameSite to Lax/Strict.

mediumNon-Session Cookie Missing SecureCOOKIE_SECURE_NONSESSION_MISSING

Set Secure on sensitive cookies, or scope them so they are only needed on HTTPS pages.

mediumSameSite Not SetCOOKIE_SAMESITE_MISSING

Set an explicit SameSite attribute (typically Lax or Strict) on session cookies for predictable CSRF behavior.

mediumLong Session LifetimeCOOKIE_SESSION_LIFETIME_LONG

Reduce session cookie lifetime. Favor short-lived sessions with renewal and server-side invalidation.

mediumTracker Before ConsentCOOKIE_TRACKER_BEFORE_CONSENT

Avoid setting non-essential tracking cookies before consent is recorded on the page.

mediumSession Attribute InconsistencyCOOKIE_SESSION_STRICTNESS_GAP

Session cookies should consistently use Secure, HttpOnly, and SameSite attributes.

lowNon-Session Cookie Missing HttpOnlyCOOKIE_HTTPONLY_NONSESSION_WARN

Consider HttpOnly on authentication-related cookies where JavaScript access is not required.

lowToo Many CookiesCOOKIE_HYGIENE_TOO_MANY

Reduce first-response Set-Cookie volume where possible; many cookies increase attack surface and tracking.

lowBroad Cookie ScopeCOOKIE_HYGIENE_SCOPE_BROAD

Prefer host-scoped cookies over parent-domain (Domain=.) when feasible to limit cross-subdomain exposure.

lowMissing Cookie PrefixesCOOKIE_HYGIENE_PREFIX

Use __Host- / __Secure- prefixes for high-sensitivity cookies where applicable to enforce scope and HTTPS.

lowLong Tracking Cookie LifetimeCOOKIE_TRACKING_LIFETIME_LONG

Reduce long-lived tracking cookie retention and align retention windows with your privacy policy.

Web Application Security Technology Fingerprinting