Do you know which cookies your website sets?
Most website operators don't know all the cookies on their site. Our scanner finds them all — with 4 detection methods, automatic categorization, and lifetime verification.
4 Detection Methods
We use a real Chrome browser — this way we also detect JavaScript-based and dynamically set cookies.
HTTP Response Headers
Set-Cookie headers from all HTTP responses
Browser Cookies (CDP)
Chrome DevTools Protocol reads all browser cookies
LocalStorage Scan
LocalStorage & sessionStorage checked for tracking patterns
Request Analysis
Third-party requests with cookie correlation
What We Check
Cookie Lifetimes (CNIL 13-Month Rule)
What
The French CNIL has recommended that tracking cookies should be valid for a maximum of 13 months. Other European DPAs increasingly align with this guideline.
Risk
Cookies with lifetimes exceeding 13 months are considered disproportionate. Some websites accidentally set cookies with 10+ year lifetimes.
Compliso checks
Compliso checks the lifetime of every single cookie and warns when the 13-month limit is exceeded. Cookies over 10 years are flagged as "forever cookies."
Cookie Categorization
What
Each cookie is assigned to a category: Necessary, Functional, Analytical, Marketing, or Unknown.
Risk
Cookies without correct categorization may be treated incorrectly by the banner. Necessary cookies don't require consent; marketing cookies do.
Compliso checks
Our database automatically recognizes thousands of known cookies. Unknown cookies are marked as "Unknown" — a signal that you need to take action.
Third-Party vs. First-Party
What
First-party cookies are set by your own domain. Third-party cookies come from external services (Google, Facebook, etc.).
Risk
Third-party cookies always require active consent (opt-in). Many website operators don't even know their CMS or plugin sets third-party cookies.
Compliso checks
Compliso automatically distinguishes between first-party and third-party and assigns each cookie to its provider.
LocalStorage & SessionStorage
What
Beyond classic HTTP cookies, many trackers use the browser's localStorage. From a data protection perspective, this is treated the same as cookies.
Risk
LocalStorage entries have no expiry date and persist permanently. They are often overlooked by cookie scanners.
Compliso checks
Compliso also scans localStorage and sessionStorage for known tracking patterns (_ga, _fbp, _hjSession, _tt_ and more).
Cookie Flags (HttpOnly, Secure, SameSite)
What
Cookie flags affect security: HttpOnly prevents JavaScript access, Secure enforces HTTPS, SameSite protects against CSRF.
Risk
Session cookies without HttpOnly and Secure flags are vulnerable to cookie theft via XSS. Missing SameSite flags allow cross-site request forgery.
Compliso checks
Every cookie is checked for its security flags. Insecure configurations are reported as issues.
Network Request Analysis
What
Not just the cookies themselves, but also HTTP requests are analyzed. Which domains does your website contact?
Risk
Every request to an external server transmits at least the visitor's IP address — personal data under GDPR.
Compliso checks
Compliso captures all outgoing requests, assigns them to providers, and evaluates the GDPR risk.
From Scan to GDPR-Compliant Setup
Compliso doesn't just detect cookies — it integrates the results directly into banner and privacy policy.
1. Scanner finds all cookies
Automatically, regularly, with 4 detection methods.
2. Banner blocks automatically
Detected trackers are blocked by the cookie banner until the user consents.
3. Privacy policy is updated
New cookies and trackers are automatically added to your privacy policy.
4. You get notified
For new, unknown, or problematic cookies, you receive an immediate notification.
Find all cookies — in seconds
Start a free demo scan and find out which cookies your website sets.