Insights / Insecure Cookies

🍪 Companies with insecure cookie configurations

These domains set cookies without proper security flags (Secure, HttpOnly, SameSite), leaving users vulnerable to session hijacking and CSRF attacks.

10
Companies affected
2378
Total scanned
0%
Prevalence
Domain
Score
Tier
Cookies
epvw.fa.us6.oraclecloud.com
62/100
Conditional
2 cookie(s)
login.goacoustic.com
62/100
Conditional
7 cookie(s)
sso.interbank.com.pe
62/100
Conditional
2 cookie(s)
interbank.service-now.com
68/100
Conditional
6 cookie(s)
chromewebstore.google.com
72/100
Conditional
1 cookie(s)
+5 more companies
This dataset is available on request. Leave your work email and we'll send you the full list within 24 hours.
No spam — we only use this to send you the data
Request received
We'll send the full dataset to your inbox shortly. Keep an eye out for an email from the LynxRadar team.

Which companies have insecure cookie configurations?

Cookies without the Secure flag can be intercepted over HTTP. Without HttpOnly, JavaScript (including XSS payloads) can steal session cookies. Without SameSite, cookies are vulnerable to cross-site request forgery (CSRF). The domains below were found by LynxRadar to be missing one or more of these critical cookie security attributes.

LynxRadar scanned 2378 domains including Fortune 500 companies and Y Combinator startups. Of those, 10 (0%) were found to have this security gap. The data above is updated continuously as new domains are scanned. Scan any domain to check its status.

Frequently Asked Questions

What cookie security flags should be set?
Every cookie should have: Secure (HTTPS only), HttpOnly (no JavaScript access), and SameSite=Strict or Lax (CSRF protection). Session cookies especially must have all three.
How many companies have insecure cookies?
In LynxRadar's scan of 2378 domains, 10 (0%) were found setting cookies without proper security flags.