Cookie Scanner

Scan cookies set by websites. Check for GDPR compliance, third-party cookies, SameSite attributes, and security flags.

What does Cookie Scanner do?

This actor scans cookies set by websites via HTTP response headers. It identifies first-party vs third-party cookies, checks for Secure and HttpOnly flags, validates SameSite attributes, and categorizes cookies (analytics, advertising, functional, consent). Essential for GDPR and privacy compliance audits.

The actor loads each URL, captures all cookies set during the page load, and returns a structured breakdown including cookie counts by type, security flag status, and individual cookie details with domain, expiry, and category information.

Use cases

• GDPR compliance -- audit cookies before consent banner implementation to know exactly what your site sets
• Privacy auditing -- identify third-party tracking cookies that may require user consent under privacy regulations
• Security assessment -- check for missing Secure and HttpOnly flags that could expose session data
• Cookie policy creation -- inventory all cookies for accurate privacy policy documentation
• Vendor monitoring -- track what cookies third-party scripts set on your pages over time

Why use Cookie Scanner?

• Batch scanning -- scan hundreds of URLs in a single run to audit entire sites or multiple properties at once
• Structured output -- get clean JSON with cookie counts, categories, and security flags ready for compliance reports
• Automatic categorization -- cookies are classified as analytics, advertising, functional, or consent without manual effort
• API access -- integrate cookie auditing into your CI/CD pipeline or compliance monitoring dashboard
• Pay-per-event pricing -- only pay for each page scanned with no monthly fees or subscriptions
• Fast and lightweight -- results for each page return in seconds

Input parameters

Parameter	Type	Required	Default	Description
urls	array	Yes	--	List of web page URLs to scan for cookies. Each URL is loaded and all cookies set during page load are captured.

Example input

{
    "urls": [
        "https://www.google.com",
        "https://www.facebook.com",
        "https://www.amazon.com"
    ]
}

Output fields

Each URL produces one record with the following fields:

Field	Description
url	The original URL provided in the input
domain	The domain name extracted from the URL
cookieCount	Total number of cookies set by the page
firstPartyCookies	Count of cookies matching the page domain
thirdPartyCookies	Count of cookies from external domains
sessionCookies	Count of cookies without an expiry (deleted when browser closes)
persistentCookies	Count of cookies with an expiry date
secureCookies	Count of cookies with the Secure flag
httpOnlyCookies	Count of cookies with the HttpOnly flag
sameSiteNone	Count of cookies with SameSite=None
cookies	Array of individual cookie objects with name, domain, flags, and category
issues	Array of security or compliance issues found
error	Error message if the scan failed, null otherwise
checkedAt	ISO 8601 timestamp of the scan

Output example

{
    "url": "https://www.google.com",
    "domain": "www.google.com",
    "cookieCount": 3,
    "firstPartyCookies": 2,
    "thirdPartyCookies": 1,
    "sessionCookies": 1,
    "persistentCookies": 2,
    "secureCookies": 3,
    "httpOnlyCookies": 1,
    "sameSiteNone": 0,
    "cookies": [
        {
            "name": "NID",
            "domain": "google.com",
            "isSecure": true,
            "isHttpOnly": true,
            "sameSite": "none",
            "isThirdParty": false,
            "category": "advertising"
        }
    ],
    "issues": [],
    "error": null,
    "checkedAt": "2026-03-01T12:00:00.000Z"
}

How much does it cost?

Cookie Scanner uses Apify's pay-per-event pricing. You only pay for what you use.

Event	Price	Description
Start	$0.035	One-time per run
URL scanned	$0.001	Per page scanned

Cost examples:

• 10 pages: $0.035 + 10 x $0.001 = $0.045
• 100 pages: $0.035 + 100 x $0.001 = $0.135
• 1,000 pages: $0.035 + 1,000 x $0.001 = $1.035

Using the Apify API

You can start Cookie Scanner programmatically using the Apify API. Replace YOUR_TOKEN with your Apify API token.

Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_TOKEN' });
const run = await client.actor('automation-lab/cookie-scanner').call({
    urls: ['https://www.google.com', 'https://www.amazon.com'],
});
const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Python

from apify_client import ApifyClient

client = ApifyClient('YOUR_TOKEN')
run = client.actor('automation-lab/cookie-scanner').call(run_input={
    'urls': ['https://www.google.com', 'https://www.amazon.com'],
})
items = client.dataset(run['defaultDatasetId']).list_items().items
print(items)

Integrations

Connect Cookie Scanner with other tools using Apify integrations. Export results to Google Sheets for compliance tracking, send Slack notifications when new third-party cookies appear, trigger Make or Zapier workflows for automated privacy reports, push data to n8n for custom pipelines, or configure webhooks for real-time alerts.

Tips and best practices

• Run before and after consent banner changes to verify that your consent management platform is correctly blocking cookies before user opt-in.
• Check the thirdPartyCookies count as a quick indicator of tracking exposure -- any value above zero may require consent under GDPR.
• Monitor the issues array for cookies missing Secure or HttpOnly flags, which represent security vulnerabilities.
• Schedule monthly scans to catch new cookies introduced by third-party scripts or marketing tags.
• Combine with Privacy Policy Detector to cross-reference whether your cookie policy accurately lists all cookies found on your site.

FAQ

Does Cookie Scanner execute JavaScript on the page? Yes. The actor uses a browser to load each page, executing JavaScript and capturing all cookies set during the full page load lifecycle, including those set by third-party scripts.

Can I scan pages that require authentication? The actor scans pages as an anonymous visitor. Pages behind login walls will only return cookies set on the public-facing login page.

What cookie categories does the actor detect? Cookies are classified as analytics, advertising, functional, or consent based on known cookie name patterns and domain matching against common third-party services.