Instructs the browser to store some information and then send it back to the server on subsequent requests.

The Set-Cookie header is sent by the server when it wants to store a piece of information in the browser. The cookie will then be sent by the browser back to the server on subsequent requests. Websites use this to personalize content, and keep users signed in to their accounts. Advertising and analytics products use cookies to track users and collect information that can be used for various purposes.

The value of the header is a string that contains several attributes separated by semicolons. When the browser sees a Set-Cookie header, it will store the cookie with the indicated attributes. If a cookie with the same name already exists in the browser, it will be replaced with the new version.

Here is an example:

session=aa6c8398be07d2a29da87eafb1b502aa75f1eef3; expires=Fri, 12-Apr-2024 12:20:06 GMT; Max-Age=600000; path=/;; HttpOnly

The possible attributes for the Set-Cookie header are as follows:

  • name=value - The first attribute is the name of the cookie and the value that needs to be stored. The name and value can be any string of normal ascii characters. Usually the value is encoded in some way to prevent users from viewing the data in plain-text.
  • Domain=value - This tells the browser which domain the cookie is valid for. The cookie will only be sent back to a server that matches this domain. If the domain is set, then the cookie will be valid for all subdomains. To limit the cookie to one subdomain, this attribute should be set to include the subdomain.
  • Expires=date - Includes a date after which the cookie will expire and no longer be sent. A date in the past will cause the cookie to be deleted immediatly.
  • HttpOnly - If this attribute is included, the cookie will not be readable by javascript. For security reasons it is recommended to include this attribute unless you need javascript to read the cookie.
  • Max-Age=seconds - An alternative to using Expires, this tells the browser how many seconds to keep the cookie until letting it expire. A value of zero or less will delete the cookie immediately.
  • Partitioned -
  • Path=path - This allows the cookie to be restricted to a specific path within the domain. For example, if you wanted the cookie to only be sent when viewing the forums of a website, you might add: Path=/forums/
  • SameSite=value - This protects against some attacks by preventing the cookie from being sent on cross-site requests. The only possible values are Strict, Lax and None.
  • Secure - Tells the browser to only send the cookie over secure https connections.

If a cookie does not include an Expires or Max-Age attribute, then it will be treated like a session cookie and will be removed when the browser window is closed. Otherwise, the cookie will persist until it expires, even if the browser is closed and reopened.

The server can delete a cookie by setting it with an Expires or Max-Age attribute in the past. This is how a website might log you out, for example.

Ready to validate your website to check for this header and 100+ others important tests?