Pillar 2 of 4
Find the cookie set before the consent banner showed up
We load your page in a clean browser, capture every cookie set in the first 2.5 seconds, and tell you which ones are tracking users without consent.
The pre-consent problem regulators care about
GDPR and ePrivacy require that any non-essential cookie or tracker is blocked until the user actively opts in. A surprising number of sites get this wrong because their tag manager fires Google Analytics or Meta Pixel before the consent banner has rendered. Even with a Cookiebot or OneTrust banner installed, the underlying scripts are often loaded with the page rather than gated behind the consent decision. We simulate a fresh visitor with no prior consent state. Anything in the cookie jar after page load — that isn't strictly necessary — is a finding.
Security flags that quietly fail in production
Modern browsers reject cookies with SameSite=None unless the Secure flag is present. We flag these because they break silently — your auth might appear to work locally and fail for a percentage of users in the wild. Long-expiry cookies (over a year) are a soft GDPR signal: regulators have written guidance suggesting cookie lifetimes should be proportionate to purpose, and 13 months is the de-facto retention cap most DPAs accept.
Classification you can trust
Every cookie name is checked against an exact-match dictionary first, then a prefix list (so _ga_XXXX inherits Google Analytics's classification). Cookies we can't classify get a minor severity finding so a human can confirm them — better to surface the unknown than to silently call it 'necessary'.
Eksempler på findings
Pre-consent tracking detekteret
Cookie "_fbp" (Meta Pixel, marketing) blev sat, før brugeren gav samtykke. Cookien blev udstedt 1,2 sekunder efter page load, mens samtykkebanneren stadig var ved at blive indlæst. For at løse det: gate Meta Pixel-scriptet bag din consent management platforms "marketing"-toggle.
Cookie : _fbp Domain : .example.com Category : marketing Set at : t=1.2s (banner not yet interacted with) Expiry : 90 days
SameSite=None uden Secure-flag
Session cookie "sid" er sat med SameSite=None men uden Secure-flag. Moderne Chromium og Firefox afviser denne kombination lydløst, så en procentdel af dine brugere — alle der har browser-updates fra de sidste tre år — mister state intermitterende. Local development skjuler problemet, fordi localhost behandles som Secure.
Set-Cookie: sid=abc123; Path=/; SameSite=None; HttpOnly Fix: tilføj Secure-flag, og sørg for at cookien kun sættes over HTTPS: Set-Cookie: sid=abc123; Path=/; SameSite=None; Secure; HttpOnly
Cookie expiry overstiger 13 måneder
Cookie "_ga" (Google Analytics, analytics) er sat med en 24-måneders expiry. De fleste EU-data protection authorities har offentliggjort vejledning, der behandler 13 måneder som den de-facto maksimumsværdi for analytics-cookies, med henvisning til ePrivacy proportionalitet. Et regulator-audit ville markere det som overdreven retention.
Cookie : _ga Expiry : 24 months (730 days) DPA cap : 13 months (CNIL, ICO, AEPD) Fix: i din GA4 admin, sæt "Data retention" til 14 måneder eller mindre, eller self-host med en custom expiry.
Scan dit site på 60 sekunder
25 gratis credits. Ingen kreditkort. Reelle findings på den side, du faktisk går op i.