Cookie & Privacy Hygiene

100 points total

Audits cookies set by your site for security attributes — Secure flag, HttpOnly flag, SameSite policy, session lifetime, tracking practices, and overall cookie hygiene.

Checks

Check	Weight	What it measures
Secure Flag Audit `cookie_secure_flag_audit`	34 pts	Checks whether cookies (especially session cookies) have the Secure flag set.
HttpOnly Audit `cookie_httponly_audit`	33 pts	Checks whether cookies have the HttpOnly flag to prevent JavaScript access.
SameSite Audit `cookie_samesite_audit`	33 pts	Evaluates SameSite attribute usage across cookies for CSRF protection.
Overall Hygiene `cookie_overall_hygiene`	info	Informational roll-up of cookie count, scope breadth, prefix usage, and lifetime analysis. Not scored but may generate findings.

Pass / Warn / Fail Logic

Secure Flag Audit

Composite score based on proportion of cookies with Secure flag; higher penalty for session cookies.

HttpOnly Audit

Composite score; session cookies without HttpOnly are penalized more heavily.

SameSite Audit

Composite score; SameSite=None without Secure is a fail; missing SameSite is a warning.

Overall Hygiene

Informational only (weight 0). Generates advisory findings.

Findings & How to Fix Them

These are the specific findings RedScore may report for this category, along with remediation guidance.

highSession Cookie Missing SecureCOOKIE_SECURE_SESSION_MISSING

Set the Secure flag on all session cookies so they are never sent over plain HTTP.

highSession Cookie Missing HttpOnlyCOOKIE_HTTPONLY_SESSION_MISSING

Set HttpOnly on session cookies so JavaScript cannot read them (mitigates XSS token theft).

highSameSite=None Without SecureCOOKIE_SAMESITE_NONE_NO_SECURE

SameSite=None requires Secure; either add Secure or change SameSite to Lax/Strict.

mediumNon-Session Cookie Missing SecureCOOKIE_SECURE_NONSESSION_MISSING

Set Secure on sensitive cookies, or scope them so they are only needed on HTTPS pages.

mediumSameSite Not SetCOOKIE_SAMESITE_MISSING

Set an explicit SameSite attribute (typically Lax or Strict) on session cookies for predictable CSRF behavior.

mediumLong Session LifetimeCOOKIE_SESSION_LIFETIME_LONG

Reduce session cookie lifetime. Favor short-lived sessions with renewal and server-side invalidation.

mediumTracker Before ConsentCOOKIE_TRACKER_BEFORE_CONSENT

Avoid setting non-essential tracking cookies before consent is recorded on the page.

mediumSession Attribute InconsistencyCOOKIE_SESSION_STRICTNESS_GAP

Session cookies should consistently use Secure, HttpOnly, and SameSite attributes.

lowNon-Session Cookie Missing HttpOnlyCOOKIE_HTTPONLY_NONSESSION_WARN

Consider HttpOnly on authentication-related cookies where JavaScript access is not required.

lowToo Many CookiesCOOKIE_HYGIENE_TOO_MANY

Reduce first-response Set-Cookie volume where possible; many cookies increase attack surface and tracking.

lowBroad Cookie ScopeCOOKIE_HYGIENE_SCOPE_BROAD

Prefer host-scoped cookies over parent-domain (Domain=.) when feasible to limit cross-subdomain exposure.

lowMissing Cookie PrefixesCOOKIE_HYGIENE_PREFIX

Use __Host- / __Secure- prefixes for high-sensitivity cookies where applicable to enforce scope and HTTPS.

lowLong Tracking Cookie LifetimeCOOKIE_TRACKING_LIFETIME_LONG

Reduce long-lived tracking cookie retention and align retention windows with your privacy policy.

Web Application Security Technology Fingerprinting