Cookie Scanner: see what a page sets before consent
Enter a URL and the Cookie Scanner reads the cookies a site sets on the very first response — before any consent is given — classifies each one, then finds the tracking tags waiting on the page and inside its Google Tag Manager container. It tells you what fires before opt-in, what's held behind the banner, and where the compliance risks are.
What the Cookie Scanner checks
Most cookie checkers list whatever is in your browser after the page has fully loaded and you've already clicked through a banner. The Cookie Scanner does the opposite: it fetches the page server-side and reads the Set-Cookie headers on the first response — the cookies that exist before a visitor touches any consent UI. Each one is matched against a catalogue of thousands of known cookies and labelled with its provider, category, purpose and lifetime, so a row like _ga reads as Google Analytics, an analytics cookie, two years — not just a name.
Cookies set before consent
The headline check is simple: did any analytics or advertising cookie arrive on the first request? Under UK PECR and the GDPR, non-essential cookies need opt-in consent before they are set, so a tracking cookie that appears before any banner could be clicked is a compliance flag. Strictly necessary cookies — load balancing, sessions, CSRF tokens — are exempt, and the scanner classifies those as necessary so they don't muddy the result. The summary shows how many cookies fired first-load and how many of them needed consent first.
Tracking tags hiding in Google Tag Manager
Tags that only fire after consent — GA4, Google Ads, Microsoft Clarity, the Meta Pixel — usually don't appear in a page's static HTML at all. Their cookies show up later, in a real browser, once a visitor accepts. To surface them anyway, the scanner reads the Google Tag Manager container itself and detects the signatures of the tags configured inside it, then lists each tag and the cookies it will set on acceptance. That turns an invisible tag stack into a clear "after consent" inventory you can check against your privacy policy.
Consent banners — named platforms and custom builds
The scanner detects whether a consent banner is present and, where it can, names the platform. Crucially it doesn't stop at off-the-shelf tools: it also recognises self-built banners and Google Consent Mode signals, so a custom-coded banner is reported as a custom consent setup rather than a false "no banner found". Because only named platforms can be identified by signature, a custom banner is flagged for you to verify manually that it actually blocks analytics and advertising cookies until opt-in — the scanner reads the first response, not a live click-through.
Cookie attributes and lifetimes
For every cookie the scanner records the Secure, HttpOnly and SameSite attributes and its expiry. It raises the issues that actually break things or trip auditors: SameSite=None without Secure (which modern browsers silently drop), cookies missing the Secure flag on an HTTPS site, lifetimes longer than 13 months — the ceiling the ICO and CNIL set for consent-based cookies — and any third-party cookie domains the page sets. Each finding is a prioritised pass, warning or fail with a plain-English explanation of why it matters.
What "good" looks like on a first-load scan:
- No analytics or advertising cookies before consent
- Tracking tags installed, but held behind a consent banner
- Every cookie on HTTPS carries the Secure flag, and no SameSite=None without it
- No consent-based cookie lasts longer than 13 months
A free scanner inside a full SEO suite
The Cookie Scanner is free with a RankNibbler account and saves every scan to a history your whole workspace can revisit or share by permalink. It sits alongside the rest of the suite, so a cookie that appears after a deploy connects straight to Change Monitoring, and the page it sits on can go through a full Site Audit. No per-check limits, no paid gate — just the scan and the findings.
How to scan a page for cookies and consent
Three steps:
1. Enter a URL
Type any public URL into the Cookie Scanner. The tool fetches the page server-side so it can read the Set-Cookie headers on the first response.
2. Run the scan
Run it and the scanner classifies every first-load cookie, detects the tracking tags on the page and inside the Google Tag Manager container, and checks whether a consent banner gates them.
3. Review and fix
Read the prioritised checks — cookies before consent, missing Secure flags, long lifetimes — fix what's flagged, then re-scan. Each scan is saved with a permalink you can share.
Frequently asked questions
What does a cookie scanner do?
It loads a page and lists the cookies the site stores, then classifies each one by who sets it, what category it falls into and how long it lasts. RankNibbler's Cookie Scanner focuses on the cookies set on the very first server response — before any banner could be clicked — and pairs them with the tracking tags installed on the page and inside its Google Tag Manager container, so you can see what fires before consent and what waits behind it.
How do I check what cookies a website sets before consent?
Enter the URL and run a scan. The tool fetches the page server-side and reads the Set-Cookie headers on the first response — the cookies that exist before a visitor interacts with any consent banner. Each cookie is listed with its provider, category, lifetime and security attributes, and any analytics or advertising cookie in that first-load set is flagged.
Is it a problem if cookies are set before consent?
For non-essential cookies, yes. Under UK PECR and the GDPR, analytics and advertising cookies need opt-in consent before they are set, so a tracking cookie that appears on the very first request — before any banner is clicked — is a compliance flag. Strictly necessary cookies, such as load-balancing or session cookies, are exempt and the scanner classifies them as necessary.
Does it detect tracking tags loaded through Google Tag Manager?
Yes. Tags that only fire after consent rarely appear in the page's static HTML, so the scanner also looks inside the Google Tag Manager container itself and reads the signatures of the tags configured there — GA4, Google Ads, Microsoft Clarity, Meta Pixel and others — along with the cookies each will set once a visitor accepts.
What if my site uses a custom cookie banner instead of a named platform?
The scanner recognises both. Alongside named consent platforms, it detects self-built banners and Google Consent Mode signals, so a custom-coded banner is reported as a custom consent setup rather than "no banner". Because only named platforms can be identified by signature, a custom banner is flagged for you to verify manually that it gates analytics and advertising cookies until opt-in.
What cookie attributes does it check?
For every cookie it records the Secure, HttpOnly and SameSite attributes and its lifetime. It flags SameSite=None without Secure (which browsers silently reject), cookies missing the Secure flag on an HTTPS site, and lifetimes longer than the 13-month guidance from the ICO and CNIL for consent-based cookies.
Is the Cookie Scanner free?
Yes. It's free with a RankNibbler account and saves each scan to a history you can revisit or share by permalink across your workspace. It's part of the wider RankNibbler toolset alongside the Site Audit and Change Monitor.
Scan a page for cookies
Enter a URL and the scanner reads the cookies set before consent, the tags behind the banner and the compliance flags — it's free.