What a cookie and tracker scan can tell you
A first-response scan gives you a fast inventory of signals present in the HTML a server returns. It can reveal cookies set in HTTP headers and recognizable scripts for analytics, advertising, tag management, and session replay. That makes it a useful starting point when reviewing a new site, a vendor integration, or an unexpected change in your own stack.
The result is intentionally evidence-based: each tracker match names the signature it found, while cookies are shown with their declared scope and security attributes. A match indicates code is present, not that every visitor is necessarily tracked.
How to interpret response cookies
Secure restricts a cookie to HTTPS connections, while HttpOnly prevents client-side JavaScript from reading it. SameSitecontrols when a cookie can accompany cross-site requests. These attributes improve security, but they do not explain the cookie's purpose or determine whether consent is required.
Session cookies expire when the browser session ends. Persistent cookies use an Expires or Max-Age attribute. Review long-lived, broadly scoped cookies carefully, especially when a third party controls the receiving domain.
Why this is not a full browser audit
Modern pages often add trackers after hydration, a consent choice, a route change, or a user interaction. This scanner does not run JavaScript or click a consent banner, so those later requests are outside its view. Browser developer tools, consent-management logs, and a legal review remain important for a complete audit.
Use the report to form specific follow-up questions: who owns this script, which data does it send, how long is that data retained, and can the same product decision be supported with less visitor-level tracking?