Cookie Governance

Scan your website cookies for functionality and privacy risks.

Cookies are fundamental to any web-based experience, whether used to store personal preferences, logged-in states, shopping carts, or to track visitor behavior, so you can optimize experiences. But, cookies need to be monitored for functionality and potential security risks. 

ObservePoint provides a website cookie audit, so you know exactly what’s happening with them and when something deserves a closer look.

Trusted by the world's leading brands

How many cookies are being set on your website?

As a first step in governing your cookies, you’ll need to know exactly how many cookies are on your site and what they’re being used for, so you can accurately classify and monitor them.

ObservePoint’s Cookie Inventory page shows you how many unique cookies were found during your audit and a complete list of cookie names and domains. You’ll be able to scan for any cookies that seem unfamiliar and find out why they are there, who owns them, and where they are coming from.

What percentage of cookies are third vs first-party?

Many browsers are blocking third-party cookies by default, so you’ll want to understand your site’s dependence on third-party technologies. If your percentage of third-party to first-party cookies is over a 50/50 split, then you might want to examine if you have too many. 

ObservePoint’s Cookie Inventory page shows you: both the total number of first and third-party cookies and which one each cookie is.

How frequently is each cookie being set? Which pages do/don’t have each cookie?

Contextual information about your cookies might not be available from other tools such as a Consent Management Platform, which generally gives you a de-duped list of cookies without showing you where and or how often they are being placed.

ObservePoint provides details such as how many pages each cookie is set on and what those page URLs are.  

Do any cookies on my website have an HTTPOnly value of “false”?

HTTPOnly means that the cookie can only be read by the server and not by JavaScript on the client or in the browser. Having this protect against cross-site scripting attacks.

The Cookie Inventory page in ObservePoint’s platform shows each cookie’s HTTPOnly status.

Are any cookies Non-secure?

If a cookie is secure, it means that the cookie will only be sent over a secure channel, which can mitigate Man-In-The-Middle attacks. A non-secure cookie should be examined to see if it can be updated or to find out who controls it to ask those questions. Not every cookie needs to be secure, but you should be aware of which aren’t and why.

ObservePoint shows you the total number of Non-secure cookies and whether each listed cookie is secure or not.

Are any of your cookies excessively large?

A cookie’s size doesn’t necessarily make it good or bad, but an excessively large cookie could indicate that there’s more information it might be collecting and passing on to third parties. You should examine large cookies to make sure you feel confident about the relationship you have with that vendor and technology.

In ObservePoint’s platform, the cookie size is an average because a specific cookie could be showing up on different pages. If you drill into specific pages, you can see the actual size on that page.

Do any of your cookies have empty SameSite values?

SameSite can be used to instruct the browser to only send the cookie when the request is originating from the same site. This can mitigate cross-site request forgery attacks. Again, not every cookie should have a SameSite value, but it’s a best practice to not leave it empty.

The Cookie Inventory page reports the total number of empty SameSite values and which cookies they are.

Don’t just take our word for it.

Here’s what our customers have to say.

Start down your 

Web Governance path today.

Scan up to 300 pages. Get full access to ObservePoint. No credit card needed.
New insights. Better data. Real Value.

Schedule a Meeting