RFC6265 Cookies and CookieJar for Node.js
Installations
npm install tough-cookieDeveloper Guide
Typescript
Yes
Module System
CommonJS
Min. Node Version
>=16
Node Version
22.13.1
NPM Version
10.9.2
Score
99.5
Supply Chain
100
Quality
89.9
Maintenance
100
Vulnerability
100
License
Releases
Contributors
Languages
TypeScript (67.12%)
JavaScript (32.78%)
Shell (0.08%)
EJS (0.02%)
validate.email 🚀
Verify real, reachable, and deliverable emails with instant MX records, SMTP checks, and disposable email detection.
Developer
salesforce
Download Statistics
Total Downloads
11,422,360,395
Last Day
8,259,404
Last Week
44,424,962
Last Month
197,639,054
Last Year
2,021,306,062
GitHub Statistics
BSD-3-Clause License
988 Stars
650 Commits
251 Forks
50 Watchers
51 Branches
66 Contributors
Updated on Feb 28, 2025
Bundle Size
136.85 kB
Minified
49.02 kB
Minified + Gzipped
Maintainers
Package Meta Information
Latest Version
5.1.1
Package Id
tough-cookie@5.1.1
Unpacked Size
222.39 kB
Size
48.75 kB
File Count
41
NPM Version
10.9.2
Node Version
22.13.1
Published on
Feb 07, 2025
Total Downloads
Cumulative downloads
Total Downloads
11,422,360,395
Last Day
-3.7%
8,259,404
Compared to previous day
Last Week
2.4%
44,424,962
Compared to previous week
Last Month
21.5%
197,639,054
Compared to previous month
Last Year
0.2%
2,021,306,062
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Tough Cookie · 
A Node.js implementation of RFC6265 for cookie parsing, storage, and retrieval.
Getting Started
Install Tough Cookie using npm:
1npm install tough-cookie
or yarn:
1yarn add tough-cookie
Usage
1import { Cookie, CookieJar } from 'tough-cookie' 2 3// parse a `Cookie` request header 4const reqCookies = 'ID=298zf09hf012fh2; csrf=u32t4o3tb3gg43; _gat=1' 5 .split(';') 6 .map(Cookie.parse) 7// generate a `Cookie` request header 8const cookieHeader = reqCookies.map((cookie) => cookie.cookieString()).join(';') 9 10// parse a Set-Cookie response header 11const resCookie = Cookie.parse( 12 'foo=bar; Domain=example.com; Path=/; Expires=Tue, 21 Oct 2025 00:00:00 GMT', 13) 14// generate a Set-Cookie response header 15const setCookieHeader = cookie.toString() 16 17// store and retrieve cookies 18const cookieJar = new CookieJar() // uses the in-memory store by default 19await cookieJar.setCookie(resCookie, 'https://example.com/') 20const matchingCookies = await cookieJar.getCookies('https://example.com/')
[!IMPORTANT] For more detailed usage information, refer to the API docs.
RFC6265bis
Support for RFC6265bis is being developed. As these revisions to RFC6252 are
still in Active Internet-Draft state, the areas of support that follow are subject to change.
SameSite Cookies
This change makes it possible for servers, and supporting clients, to mitigate certain types of CSRF
attacks by disallowing SameSite cookies from being sent cross-origin.
Example
1import { CookieJar } from 'tough-cookie' 2 3const cookieJar = new CookieJar() // uses the in-memory store by default 4 5// storing cookies with various SameSite attributes 6await cookieJar.setCookie( 7 'strict=authorized; SameSite=strict', 8 'http://example.com/index.html', 9) 10await cookieJar.setCookie( 11 'lax=okay; SameSite=lax', 12 'http://example.com/index.html', 13) 14await cookieJar.setCookie('normal=whatever', 'http://example.com/index.html') 15 16// retrieving cookies using a SameSite context 17const laxCookies = await cookieJar.getCookies('http://example.com/index.html', { 18 // the first cookie (strict=authorized) will not be returned if the context is 'lax' 19 // but the other two cookies will be returned 20 sameSiteContext: 'lax', 21})
[!NOTE] It is highly recommended that you read RFC6265bis - Section 8.8 for more details on SameSite cookies, security considerations, and defense in depth.
Cookie Prefixes
Cookie prefixes are a way to indicate that a given cookie was set with a set of attributes simply by inspecting the first few characters of the cookie's name.
Two prefixes are defined:
-
"__Secure-"If a cookie's name begins with a case-sensitive match for the string
__Secure-, then the cookie was set with a "Secure" attribute. -
"__Host-"If a cookie's name begins with a case-sensitive match for the string
__Host-, then the cookie was set with a "Secure" attribute, a "Path" attribute with a value of "/", and no "Domain" attribute.
If prefixSecurity is enabled for CookieJar, then cookies that match the prefixes defined above but do
not obey the attribute restrictions are not added.
You can define this functionality by passing in the prefixSecurity option to CookieJar. It can be one of 3 values:
silent: (default) Enable cookie prefix checking but silently fail to add the cookie if conditions are not met.strict: Enable cookie prefix checking and error out if conditions are not met.unsafe-disabled: Disable cookie prefix checking.
If
ignoreErroris passed in astruewhen setting a cookie then the error is silent regardless of theprefixSecurityoption (assuming it's enabled).
Example
1import { CookieJar, MemoryCookieStore } from 'tough-cookie' 2 3const cookieJar = new CookieJar(new MemoryCookieStore(), { 4 prefixSecurity: 'silent', 5}) 6 7// this cookie will be silently ignored since the url is insecure (http) 8await cookieJar.setCookie( 9 '__Secure-SID=12345; Domain=example.com; Secure;', 10 'http://example.com', 11) 12 13// this cookie will be stored since the url is secure (https) 14await cookieJar.setCookie( 15 '__Secure-SID=12345; Domain=example.com; Secure;', 16 'https://example.com', 17)
[!NOTE] It is highly recommended that you read RFC6265bis - Section 4.1.3 for more details on Cookie Prefixes.
Node.js Version Support
We follow the Node.js release schedule and support all versions that are in Active LTS or Maintenance. We will always do a major release when dropping support for older versions of node, and we will do so in consultation with our community.
Stable Version
Stable Version
5.1.1
High
1
7.5/10
Summary
Regular Expression Denial of Service in tough-cookie
Affected Versions
< 2.3.3
Patched Versions
2.3.3
Moderate
2
6.5/10
Summary
tough-cookie Prototype Pollution vulnerability
Affected Versions
< 4.1.3
Patched Versions
4.1.3
5.3/10
Summary
ReDoS via long string of semicolons in tough-cookie
Affected Versions
< 2.3.0
Patched Versions
2.3.0
Reason
29 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: BSD 3-Clause "New" or "Revised" License: LICENSE:0
Reason
0 existing vulnerabilities detected
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
- Info: Found text in security policy: SECURITY.md:1
Reason
Found 9/10 approved changesets -- score normalized to 9
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yaml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/publish.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yaml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/publish.yaml/master?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/integration.yaml:88
- Warn: npmCommand not pinned by hash: .github/workflows/integration.yaml:52
- Warn: npmCommand not pinned by hash: .github/workflows/integration.yaml:53
- Info: 0 out of 14 GitHub-owned GitHubAction dependencies pinned
- Info: 8 out of 11 npmCommand dependencies pinned
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yaml:9
- Info: topLevel 'contents' permission set to 'read': .github/workflows/integration.yaml:10
- Info: topLevel 'contents' permission set to 'read': .github/workflows/publish.yaml:8
- Warn: no topLevel permission defined: .github/workflows/slonser.yaml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 29 are checked with a SAST tool
Score
6.6
/10
Last Scanned on 2025-02-17
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More