{"id":50901672,"url":"https://github.com/didrod205/cookie-doctor","last_synced_at":"2026-06-16T03:04:39.408Z","repository":{"id":362625691,"uuid":"1260012130","full_name":"didrod205/cookie-doctor","owner":"didrod205","description":"Lint Set-Cookie headers for security locally — missing HttpOnly/Secure/SameSite, SameSite=None without Secure, over-broad Domain, and __Host-/__Secure- prefix violations that make browsers silently drop your cookie. Deterministic CLI, JSON/MD reports.","archived":false,"fork":false,"pushed_at":"2026-06-05T05:16:18.000Z","size":58,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-05T07:29:36.251Z","etag":null,"topics":["appsec","cli","cookie","csrf","devsecops","httponly","linter","samesite","secure","security","security-headers","session","set-cookie","typescript","web-security"],"latest_commit_sha":null,"homepage":"https://didrod205.github.io/cookie-doctor/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/didrod205.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-05T04:30:55.000Z","updated_at":"2026-06-05T05:26:16.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/didrod205/cookie-doctor","commit_stats":null,"previous_names":["didrod205/cookie-doctor"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/didrod205/cookie-doctor","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/didrod205%2Fcookie-doctor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/didrod205%2Fcookie-doctor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/didrod205%2Fcookie-doctor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/didrod205%2Fcookie-doctor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/didrod205","download_url":"https://codeload.github.com/didrod205/cookie-doctor/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/didrod205%2Fcookie-doctor/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34388681,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-16T02:00:06.860Z","response_time":126,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","cli","cookie","csrf","devsecops","httponly","linter","samesite","secure","security","security-headers","session","set-cookie","typescript","web-security"],"created_at":"2026-06-16T03:04:39.242Z","updated_at":"2026-06-16T03:04:39.399Z","avatar_url":"https://github.com/didrod205.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# 🍪 cookie-doctor\n\n### Lint your `Set-Cookie` headers for security — locally, no website.\n\n[![npm version](https://img.shields.io/npm/v/cookie-doctor.svg?color=success)](https://www.npmjs.com/package/cookie-doctor)\n[![bundle size](https://img.shields.io/bundlephobia/minzip/cookie-doctor?label=core%20gzip)](https://bundlephobia.com/package/cookie-doctor)\n[![CI](https://github.com/didrod205/cookie-doctor/actions/workflows/ci.yml/badge.svg)](https://github.com/didrod205/cookie-doctor/actions/workflows/ci.yml)\n[![types](https://img.shields.io/npm/types/cookie-doctor.svg)](https://www.npmjs.com/package/cookie-doctor)\n[![license](https://img.shields.io/npm/l/cookie-doctor.svg)](./LICENSE)\n\n**[🌐 Try the browser playground →](https://didrod205.github.io/cookie-doctor/)** \u0026nbsp;·\u0026nbsp; paste a `Set-Cookie`, see its security holes. Nothing is uploaded — it all runs client-side.\n\n\u003c/div\u003e\n\nYou set a session cookie and shipped it. But it went out without `HttpOnly` (so any\nXSS can steal it), without `Secure` (so it rides plain HTTP), with `SameSite=None`\nbut no `Secure` (so the browser **rejects it entirely**), or with a `__Host-` prefix\nwhose strict rules it quietly violates — and now logins mysteriously don't stick.\nYou find out from a pentest, a console warning, or a 3 a.m. incident.\n\n**cookie-doctor lints a `Set-Cookie` for these problems locally and\ndeterministically** — from a string, a `curl -I` response, or a config file. It\nknows the `__Host-`/`__Secure-` prefix rules and the `SameSite=None`↔`Secure`\ninteraction, the exact spec people get wrong.\n\n```bash\nnpx cookie-doctor scan -c \"sid=abc; SameSite=None\"\n```\n\n```\nsid  46/100 (F)\n  ✗ SameSite=None without Secure — the browser rejects the cookie   [SameSite]\n  ✗ No HttpOnly — this looks like a session cookie, JS can read it  [HttpOnly]\n  ✗ No Secure — sent over plaintext HTTP                            [Secure]\n```\n\n---\n\n## Why cookie-doctor?\n\n- 🧨 **It catches the \"silently dropped\" bugs.** `__Host-` without `Secure`, with a\n  `Domain`, or without `Path=/`; `SameSite=None` without `Secure` — the browser\n  rejects these cookies outright, so your session just *doesn't work*. cookie-doctor\n  flags them as **validity** errors, not style nits.\n- 🎯 **Severity that knows what a session cookie is.** A missing `HttpOnly` on\n  `sid`/`auth`/a JWT-valued cookie is an **error**; on `theme=dark` it's a gentle\n  warning. No noise.\n- 🔒 **Local \u0026 deterministic.** No website, no API key, runs offline and in CI.\n  Same cookie → same result. Fail the PR that ships an insecure session cookie.\n- 🧩 **Reads it from anywhere.** A raw `Set-Cookie`, a `curl -I` dump, an nginx\n  `add_header`, an Apache `Header set`, or `vercel.json`.\n\nWhy not paste it into an LLM? The `__Host-`/`__Secure-` rules and the\n`SameSite=None`/`Secure` interaction are exact spec a chatbot gets subtly wrong —\nand you want this gating session config on **every** PR, not once.\n\n## Install\n\n```bash\n# run it now\nnpx cookie-doctor scan -c \"\u003cyour Set-Cookie\u003e\"\n\n# or add it\nnpm install -g cookie-doctor      # global CLI\nnpm install -D cookie-doctor      # CI dependency\n```\n\nNode ≥ 18. The core is dependency-free and browser-safe.\n\n## Quick start\n\n```bash\ncookie-doctor scan -c \"__Host-sid=abc; Secure; HttpOnly; SameSite=Lax; Path=/\"\ncurl -sI https://example.com | cookie-doctor scan       # straight from a response\ncookie-doctor scan headers.txt _headers vercel.json     # from configs\ncookie-doctor scan -c \"\u003ccookie\u003e\" --min-score 80          # CI gate\ncookie-doctor scan headers.txt --md cookies.md           # Markdown report\ncookie-doctor init                                       # write a config\n```\n\nSee [`examples/sample-report.md`](./examples/sample-report.md), and\n[`examples/strong.cookie.txt`](./examples/strong.cookie.txt) for a cookie that\nscores 100.\n\n## What it checks\n\n| Group | Examples |\n| ----- | -------- |\n| **Will be dropped by the browser** | `__Host-`/`__Secure-` prefix rules (Secure required, no Domain, `Path=/`), `SameSite=None` without `Secure`, invalid `SameSite`, oversized (\u003e 4 KB) |\n| **XSS / theft** | missing `HttpOnly` (error on session/token cookies) |\n| **CSRF** | missing `SameSite` |\n| **Transport** | missing `Secure` |\n| **Scope** | `Domain` shared with subdomains, legacy leading-dot `Domain` |\n| **Lifetime** | long-lived auth cookies (configurable threshold) |\n\nEach finding is a weighted error / warning / info; the cookie rolls up to a 0–100\nscore and an A–F grade you can gate in CI.\n\n## Real scenarios\n\n**1. Gate session-cookie security in CI.** A PR that adds an auth cookie without\n`HttpOnly`/`Secure`, or breaks a `__Host-` rule, fails the build:\n\n```yaml\n# .github/workflows/ci.yml\n- run: curl -sI http://localhost:3000/login | npx cookie-doctor scan --min-score 90\n```\n\n**2. Audit what your framework actually sends.** Pipe a real response through it —\n`express-session`, NextAuth, a reverse proxy — and see the attributes you *thought*\nwere set.\n\n**3. Triage a security finding.** A scanner said \"insecure cookie\" — `cookie-doctor`\ntells you *which* attribute and *why*, with the exact fix.\n\n## Configuration\n\n`cookie-doctor init` writes `cookie-doctor.config.json`:\n\n```jsonc\n{\n  \"ignore\": [],                                  // rule ids to skip\n  \"sessionNames\": [\"session\", \"sid\", \"auth\", \"token\", \"jwt\", \"...\"],\n  \"maxAgeDays\": 30,                              // warn above this lifetime\n  \"minScore\": 0                                  // CI gate threshold\n}\n```\n\n## Library API\n\n```ts\nimport { analyzeSetCookie, DEFAULT_CONFIG } from \"cookie-doctor\";\n\nconst report = analyzeSetCookie(\"inline\", \"sid=abc; Secure\", DEFAULT_CONFIG, Date.now());\nfor (const f of report.findings) console.log(f.severity, f.rule, f.attribute);\n```\n\nAlso exported: `parseSetCookie`, `checkCookie`, `extractCookies`, `lifetimeSeconds`,\nand types. The core has zero runtime dependencies.\n\n## Roadmap\n\n- 🤖 **Optional `--ai` layer (bring-your-own key)** to explain a cookie's risk in\n  context / suggest a hardened header. The core stays 100% offline and deterministic.\n- `Partitioned` (CHIPS) attribute awareness.\n- Read cookies from a saved `.har` or a browser cookie export.\n- ✅ **A browser playground** — paste a `Set-Cookie`, see the audit, nothing uploaded.\n  [Live here](https://didrod205.github.io/cookie-doctor/).\n\n## 💖 Sponsor\n\ncookie-doctor is free and MIT-licensed, built and maintained in spare time. If it\ncaught an insecure cookie before your users did, please consider supporting it:\n\n- ⭐ **Star this repo** — the simplest free way to help others find it.\n- 🍋 **[Sponsor via Lemon Squeezy](https://elab-studio.lemonsqueezy.com/checkout/buy/5d059b89-51d0-456b-b33a-ed56994f7010)** — one-time or recurring.\n\n## License\n\n[MIT](./LICENSE) © cookie-doctor contributors\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdidrod205%2Fcookie-doctor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdidrod205%2Fcookie-doctor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdidrod205%2Fcookie-doctor/lists"}