Zero Signup ToolsFree browser tools

Developer Tools

Set-Cookie Builder

Build a valid Set-Cookie response header with SameSite, Secure, HttpOnly, Partitioned, Max-Age, and __Host- prefix support. Server snippets included.

Set-Cookie header builder

Quick presets

Start from a real intent

Name and value

The cookie itself

Tip: prefix with __Host- to lock the cookie to the exact origin, or __Secure- to require HTTPS.

URI-encode is safer if the value can contain spaces, commas, semicolons, or non-ASCII characters.

Scope

Where the browser sends it

Leave blank for a host-only cookie (sent only to the exact host). When set, the cookie is also sent to subdomains.

Path scoping. Defaults to /. Must start with a slash. __Host- prefixed cookies must use exactly /.

Expiry

How long the cookie lives

Common values:

1 day from when the response is received.

Security

Attributes that protect the cookie

Lax is the modern default. Strict disables cookies on navigations from other sites. None enables cross-site cookies for embeds and third-party flows.

Optional Chromium-only attribute that hints at eviction order. Other browsers ignore it safely.

Output

Your Set-Cookie header

69 bytes

Set-Cookie: session=abc123; Path=/; Max-Age=86400; Secure; HttpOnly; SameSite=Lax

Attributes

AttributeValue
Namesession
Valueabc123
Path/
Max-Age86400
Secure(flag)
HttpOnly(flag)
SameSiteLax
Browser keeps the cookie for 1 day, then deletes it. Sent only to the host that set it (no Domain attribute) for requests under /. It is not readable from JavaScript (HttpOnly) and only sent over HTTPS (Secure). SameSite=Lax means the browser sends it on same-site requests and on top-level navigations using safe methods (GET).

Server snippets

Paste into your server

Ready-to-paste examples for the runtimes most people use to send Set-Cookie headers.

Raw header

Set-Cookie: session=abc123; Path=/; Max-Age=86400; Secure; HttpOnly; SameSite=Lax

Node.js http / Next.js Route Handler

response.setHeader("Set-Cookie", "session=abc123; Path=/; Max-Age=86400; Secure; HttpOnly; SameSite=Lax");

Next.js Response init

return new Response(body, {
  headers: { "Set-Cookie": "session=abc123; Path=/; Max-Age=86400; Secure; HttpOnly; SameSite=Lax" },
});

Express.js

res.setHeader("Set-Cookie", "session=abc123; Path=/; Max-Age=86400; Secure; HttpOnly; SameSite=Lax");
// or, with the cookie-parser pattern:
// res.cookie(name, value, options);

Fastify

reply.header("Set-Cookie", "session=abc123; Path=/; Max-Age=86400; Secure; HttpOnly; SameSite=Lax");

Go net/http (raw header)

w.Header().Add("Set-Cookie", `session=abc123; Path=/; Max-Age=86400; Secure; HttpOnly; SameSite=Lax`)

Python Flask

response.headers.add("Set-Cookie", "session=abc123; Path=/; Max-Age=86400; Secure; HttpOnly; SameSite=Lax")

Python Django (HttpResponse)

response["Set-Cookie"] = "session=abc123; Path=/; Max-Age=86400; Secure; HttpOnly; SameSite=Lax"

Apache (.htaccess / VirtualHost)

Header set Set-Cookie "session=abc123; Path=/; Max-Age=86400; Secure; HttpOnly; SameSite=Lax"

Nginx

add_header Set-Cookie "session=abc123; Path=/; Max-Age=86400; Secure; HttpOnly; SameSite=Lax" always;

Test with curl (send as request cookie)

curl -i -H 'Cookie: session=abc123' https://example.com/

Attribute cheat sheet

  • Domain: where the cookie applies. Omit for host-only cookies (the safest default). Subdomains receive the cookie when set.
  • Path: only sent for URLs under this prefix. Defaults to the directory of the request-URI; use / for site-wide cookies.
  • Max-Age and Expires both set lifetime. If both are present, Max-Age wins. Prefer Max-Age in new code (no clock skew).
  • Secure: only sent over HTTPS. HttpOnly: hidden from JavaScript.
  • SameSite: Lax (the default in modern browsers) blocks most cross-site uses; Strict blocks them all; None enables cross-site and requires Secure.
  • Partitioned (CHIPS): opt in to per-top-level-site storage for third-party cookies.
  • Priority: Chromium hint for eviction order. Other browsers ignore it.

Name prefixes

  • __Secure-name: the browser rejects the cookie unless it has the Secure attribute and is set from a secure origin.
  • __Host-name: the strictest prefix. Requires Secure, no Domain attribute, and Path exactly /. Use it for session cookies you want locked to the exact origin.

Common mistakes

  • Forgetting Secure on SameSite=None. The browser silently drops the cookie.
  • Setting both Expires and Max-Age. Max-Age wins, so the Expires is dead code at best, misleading at worst.
  • Setting a Domain when you meant host-only. Subdomains get the cookie, which is rarely what you want for a login session.
  • Cookie value with a comma or semicolon and no encoding. Many parsers will truncate the value at the separator.

How to use

  1. Pick a preset (login session, __Host- session, cross-site embed, persistent preference, logout, or cart) to seed sensible defaults, or start from scratch.
  2. Type the cookie name and value. Toggle URI-encode if the value can contain spaces, commas, or semicolons.
  3. Set the scope: leave Domain blank for a host-only cookie, or set it to share the cookie across subdomains. Keep Path as / unless you have a reason to scope it tighter.
  4. Choose an expiry: Max-Age in seconds is recommended (preset chips cover the common durations), Expires takes a date, and Session keeps it for the browser session only.
  5. Toggle Secure, HttpOnly, and Partitioned (CHIPS), pick a SameSite mode, and optionally set the Chromium Priority hint. Read the warnings panel and fix any errors flagged.
  6. Copy the Set-Cookie value, or grab a ready-made snippet for Node, Express, Fastify, Next.js, Go, Flask, Django, Apache, or Nginx.

About this tool

Set-Cookie Builder turns a form of cookie options into a correct, well-formed Set-Cookie response header that you can paste straight into your server. It implements the RFC 6265 cookie grammar plus the modern attributes that real browsers care about today: SameSite (Lax, Strict, or None), the Secure and HttpOnly flags, the Partitioned attribute for CHIPS-style third-party cookies, the Chromium Priority hint, and the __Secure- and __Host- name prefixes with their full constraint set (Secure required, no Domain attribute for __Host-, Path exactly equal to / for __Host-). Three expiry modes are supported: a recommended Max-Age in seconds with one-click presets for the common lifetimes (5 minutes, 1 hour, 1 day, 1 week, 30 days, 1 year, delete), a legacy Expires datetime that is auto-converted to the RFC 7231 IMF-fixdate format in GMT, and a session cookie with no expiry attribute. Six real-intent presets seed sensible defaults for a login session, a __Host-prefixed session, a cross-site embed cookie that uses SameSite=None plus Partitioned, a 1 year preference cookie, an explicit logout header that uses Max-Age=0, and a 30 day cart cookie. The output panel shows the full header value with a copy button, an attribute-by-attribute breakdown table, a plain English summary of what the cookie does, and a live byte count compared to the 4096 byte per-cookie minimum browsers must accept. A warnings panel surfaces the gotchas that cost engineers hours in production: SameSite=None without Secure (silently dropped), Partitioned without Secure (rejected), __Host- with a Domain or non-root Path (rejected), Expires already in the past (cookie deleted), oversized cookies (dropped by some user agents). Ten ready-to-paste server snippets cover Node.js http, Express, Fastify, Next.js Route Handler, Go net/http, Python Flask, Django, Apache, and Nginx, plus a curl command to test the resulting cookie. Everything runs in your browser; cookie names, values, and domains never leave your device. Useful for setting up secure session cookies, opting in to CHIPS for a third-party embed, building a clean logout header, locking a cookie to the exact origin with __Host-, debugging why a cross-site cookie is not arriving, or learning what each Set-Cookie attribute actually does.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Developer

Cookie Parser

Decode Set-Cookie or Cookie headers with attributes, expiry, and safety warnings.

Open tool

Developer

Cache-Control Header Builder

Build and parse Cache-Control headers with directive flags, max-age presets, conflict checks, and ready-to-paste server snippets.

Open tool

Developer

CSP Header Generator

Visual builder for the Content-Security-Policy HTTP header.

Open tool

Developer

HTTP Headers Parser

Parse, classify, and decode HTTP headers, with a missing security headers audit.

Open tool

Developer

URL Encoder Decoder

Encode and decode percent-encoded URLs.

Open tool

All toolsDeveloper Tools