Cookie Scanner

Scan cookies set by websites. Check for GDPR compliance, third-party cookies, SameSite attributes, and security flags.

What does Cookie Scanner do?

This actor scans cookies set by websites via HTTP response headers. It identifies first-party vs third-party cookies, checks for Secure and HttpOnly flags, validates SameSite attributes, and categorizes cookies (analytics, advertising, functional, consent). Essential for GDPR and privacy compliance audits.

The actor loads each URL, captures all cookies set during the page load, and returns a structured breakdown including cookie counts by type, security flag status, and individual cookie details with domain, expiry, and category information.

Use cases

• GDPR compliance -- audit cookies before consent banner implementation to know exactly what your site sets
• Privacy auditing -- identify third-party tracking cookies that may require user consent under privacy regulations
• Security assessment -- check for missing Secure and HttpOnly flags that could expose session data
• Cookie policy creation -- inventory all cookies for accurate privacy policy documentation
• Vendor monitoring -- track what cookies third-party scripts set on your pages over time

Why use Cookie Scanner?

• Batch scanning -- scan hundreds of URLs in a single run to audit entire sites or multiple properties at once
• Structured output -- get clean JSON with cookie counts, categories, and security flags ready for compliance reports
• Automatic categorization -- cookies are classified as analytics, advertising, functional, or consent without manual effort
• API access -- integrate cookie auditing into your CI/CD pipeline or compliance monitoring dashboard
• Pay-per-event pricing -- only pay for each page scanned with no monthly fees or subscriptions
• Fast and lightweight -- results for each page return in seconds

Input parameters

Parameter	Type	Required	Default	Description
urls	array	Yes	--	List of web page URLs to scan for cookies. Each URL is loaded and all cookies set during page load are captured.

Example input

{
    "urls": [
        "https://www.google.com",
        "https://www.facebook.com",
        "https://www.amazon.com"
    ]
}

Output fields

Each URL produces one record with the following fields:

Field	Description
url	The original URL provided in the input
domain	The domain name extracted from the URL
cookieCount	Total number of cookies set by the page
firstPartyCookies	Count of cookies matching the page domain
thirdPartyCookies	Count of cookies from external domains
sessionCookies	Count of cookies without an expiry (deleted when browser closes)
persistentCookies	Count of cookies with an expiry date
secureCookies	Count of cookies with the Secure flag
httpOnlyCookies	Count of cookies with the HttpOnly flag
sameSiteNone	Count of cookies with SameSite=None
cookies	Array of individual cookie objects with name, domain, flags, and category
issues	Array of security or compliance issues found
error	Error message if the scan failed, null otherwise
checkedAt	ISO 8601 timestamp of the scan

Output example

{
    "url": "https://www.google.com",
    "domain": "www.google.com",
    "cookieCount": 3,
    "firstPartyCookies": 2,
    "thirdPartyCookies": 1,
    "sessionCookies": 1,
    "persistentCookies": 2,
    "secureCookies": 3,
    "httpOnlyCookies": 1,
    "sameSiteNone": 0,
    "cookies": [
        {
            "name": "NID",
            "domain": "google.com",
            "isSecure": true,
            "isHttpOnly": true,
            "sameSite": "none",
            "isThirdParty": false,
            "category": "advertising"
        }
    ],
    "issues": [],
    "error": null,
    "checkedAt": "2026-03-01T12:00:00.000Z"
}

How much does it cost to scan website cookies?

Cookie Scanner uses Apify's pay-per-event pricing. You only pay for what you use.

Event	Price	Description
Start	$0.035	One-time per run
URL scanned	$0.001	Per page scanned

Cost examples:

• 10 pages: $0.035 + 10 x $0.001 = $0.045
• 100 pages: $0.035 + 100 x $0.001 = $0.135
• 1,000 pages: $0.035 + 1,000 x $0.001 = $1.035

How to scan cookies on a website

1. Go to the Cookie Scanner page on Apify Store.
2. Click Try for free to open the actor in Apify Console.
3. Enter the URLs you want to scan in the urls input field.
4. Click Start to begin the cookie scan.
5. Once the run finishes, download your results as JSON, CSV, or Excel from the Dataset tab.

Using the Apify API

You can start Cookie Scanner programmatically using the Apify API. Replace YOUR_TOKEN with your Apify API token.

Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_TOKEN' });
const run = await client.actor('automation-lab/cookie-scanner').call({
    urls: ['https://www.google.com', 'https://www.amazon.com'],
});
const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Python

from apify_client import ApifyClient

client = ApifyClient('YOUR_TOKEN')
run = client.actor('automation-lab/cookie-scanner').call(run_input={
    'urls': ['https://www.google.com', 'https://www.amazon.com'],
})
items = client.dataset(run['defaultDatasetId']).list_items().items
print(items)

cURL

curl "https://api.apify.com/v2/acts/automation-lab~cookie-scanner/runs" \
  -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -d '{"urls": ["https://www.google.com", "https://www.amazon.com"]}'

Use with AI agents via MCP

Cookie Scanner is available as a tool for AI assistants via the Model Context Protocol (MCP).

Setup for Claude Code

$claude mcp add --transport http apify "https://mcp.apify.com"

Setup for Claude Desktop, Cursor, or VS Code

{
    "mcpServers": {
        "apify": {
            "url": "https://mcp.apify.com"
        }
    }
}

Example prompts

• "Scan cookies on https://example.com for GDPR compliance"
• "What cookies does this website set?"

Learn more in the Apify MCP documentation.

Integrations

Connect Cookie Scanner with other tools using Apify integrations. Export results to Google Sheets for compliance tracking, send Slack notifications when new third-party cookies appear, trigger Make or Zapier workflows for automated privacy reports, push data to n8n for custom pipelines, or configure webhooks for real-time alerts.

Tips and best practices

• Run before and after consent banner changes to verify that your consent management platform is correctly blocking cookies before user opt-in.
• Check the thirdPartyCookies count as a quick indicator of tracking exposure -- any value above zero may require consent under GDPR.
• Monitor the issues array for cookies missing Secure or HttpOnly flags, which represent security vulnerabilities.
• Schedule monthly scans to catch new cookies introduced by third-party scripts or marketing tags.
• Combine with Privacy Policy Detector to cross-reference whether your cookie policy accurately lists all cookies found on your site.

Is it legal to scan website cookies?

Yes. Cookie Scanner only analyzes publicly visible cookies set by websites during normal browsing. This is the same information any visitor's browser automatically receives and stores.

Cookie scanning is a standard compliance practice encouraged by regulations like GDPR, ePrivacy Directive, and CCPA. Many organizations are legally required to audit the cookies their websites set.

Key points:

• Only publicly served cookies are analyzed — no authentication is bypassed
• The tool behaves like a regular browser visit
• Cookie auditing is a recommended practice under GDPR and ePrivacy regulations
• No private or personal data is collected beyond what the website sends to any visitor

For more details, see the Apify guide on ethical web scraping.

Legality

This tool analyzes publicly accessible web content. Automated analysis of public web resources is standard practice in SEO and web development. Always respect robots.txt directives and rate limits when analyzing third-party websites. For personal data processing, ensure compliance with applicable privacy regulations.

FAQ

Does Cookie Scanner execute JavaScript on the page? Yes. The actor uses a browser to load each page, executing JavaScript and capturing all cookies set during the full page load lifecycle, including those set by third-party scripts.

Can I scan pages that require authentication? The actor scans pages as an anonymous visitor. Pages behind login walls will only return cookies set on the public-facing login page.

What cookie categories does the actor detect? Cookies are classified as analytics, advertising, functional, or consent based on known cookie name patterns and domain matching against common third-party services.

The actor found fewer cookies than I see in my browser DevTools. Why? The actor captures cookies set during the initial page load. Cookies set after user interactions (clicking consent banners, scrolling, navigating to other pages) may not appear because the actor does not simulate those interactions. For a complete cookie inventory, consider scanning multiple pages on the same site.

A cookie is categorized incorrectly. Can I override the category? The actor classifies cookies based on known name patterns and domain matching. Novel or custom cookie names may be miscategorized. The raw cookie data (name, domain, flags) is always included in the output, so you can apply your own categorization logic downstream.

Other SEO tools

• Cloaking Detector -- Detect SEO cloaking on web pages.
• Broken Link Checker -- Find broken links across your website.
• Canonical URL Checker -- Verify canonical tags on your pages.
• SEO Title Checker -- Check title tags for SEO best practices.
• Heading Structure Checker -- Audit heading hierarchy on web pages.
• Content Readability Checker -- Analyze readability scores for your content.
• CSS Stats Analyzer -- Analyze CSS usage and complexity on web pages.