Gathering detailed insights and metrics for tough-cookie
Gathering detailed insights and metrics for tough-cookie
RFC6265 Cookies and CookieJar for Node.js
Installations
npm install tough-cookieDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Min. Node Version
>=16
Node Version
22.14.0
NPM Version
10.9.2
Score
99.5
Supply Chain
100
Quality
85.5
Maintenance
100
Vulnerability
100
License
Releases
11
Languages
4
TypeScript
JavaScript
Shell
EJS
TypeScript (99.47%)
JavaScript (0.38%)
Shell (0.12%)
EJS (0.03%)
Developer
salesforce
Download Statistics
Total Downloads
12,056,734,789
Last Day
3,034,895
Last Week
48,943,622
Last Month
213,265,979
Last Year
2,166,623,612
GitHub Statistics
BSD-3-Clause License
1,007 Stars
675 Commits
282 Forks
49 Watchers
56 Branches
66 Contributors
Updated on Jun 26, 2025
Bundle Size
136.95 kB
Minified
49.06 kB
Minified + Gzipped
Maintainers
2
Package Meta Information
Latest Version
5.1.2
Package Id
tough-cookie@5.1.2
Unpacked Size
222.39 kB
Size
48.76 kB
File Count
41
NPM Version
10.9.2
Node Version
22.14.0
Published on
Feb 28, 2025
Total Downloads
Cumulative downloads
Total Downloads
12,056,734,789
Tough Cookie · 
A Node.js implementation of RFC6265 for cookie parsing, storage, and retrieval.
Getting Started
Install Tough Cookie using npm:
1npm install tough-cookie
or yarn:
1yarn add tough-cookie
Usage
1import { Cookie, CookieJar } from 'tough-cookie' 2 3// parse a `Cookie` request header 4const reqCookies = 'ID=298zf09hf012fh2; csrf=u32t4o3tb3gg43; _gat=1' 5 .split(';') 6 .map(Cookie.parse) 7// generate a `Cookie` request header 8const cookieHeader = reqCookies.map((cookie) => cookie.cookieString()).join(';') 9 10// parse a Set-Cookie response header 11const resCookie = Cookie.parse( 12 'foo=bar; Domain=example.com; Path=/; Expires=Tue, 21 Oct 2025 00:00:00 GMT', 13) 14// generate a Set-Cookie response header 15const setCookieHeader = cookie.toString() 16 17// store and retrieve cookies 18const cookieJar = new CookieJar() // uses the in-memory store by default 19await cookieJar.setCookie(resCookie, 'https://example.com/') 20const matchingCookies = await cookieJar.getCookies('https://example.com/')
[!IMPORTANT] For more detailed usage information, refer to the API docs.
RFC6265bis
Support for RFC6265bis is being developed. As these revisions to RFC6252 are
still in Active Internet-Draft state, the areas of support that follow are subject to change.
SameSite Cookies
This change makes it possible for servers, and supporting clients, to mitigate certain types of CSRF
attacks by disallowing SameSite cookies from being sent cross-origin.
Example
1import { CookieJar } from 'tough-cookie' 2 3const cookieJar = new CookieJar() // uses the in-memory store by default 4 5// storing cookies with various SameSite attributes 6await cookieJar.setCookie( 7 'strict=authorized; SameSite=strict', 8 'http://example.com/index.html', 9) 10await cookieJar.setCookie( 11 'lax=okay; SameSite=lax', 12 'http://example.com/index.html', 13) 14await cookieJar.setCookie('normal=whatever', 'http://example.com/index.html') 15 16// retrieving cookies using a SameSite context 17const laxCookies = await cookieJar.getCookies('http://example.com/index.html', { 18 // the first cookie (strict=authorized) will not be returned if the context is 'lax' 19 // but the other two cookies will be returned 20 sameSiteContext: 'lax', 21})
[!NOTE] It is highly recommended that you read RFC6265bis - Section 8.8 for more details on SameSite cookies, security considerations, and defense in depth.
Cookie Prefixes
Cookie prefixes are a way to indicate that a given cookie was set with a set of attributes simply by inspecting the first few characters of the cookie's name.
Two prefixes are defined:
-
"__Secure-"If a cookie's name begins with a case-sensitive match for the string
__Secure-, then the cookie was set with a "Secure" attribute. -
"__Host-"If a cookie's name begins with a case-sensitive match for the string
__Host-, then the cookie was set with a "Secure" attribute, a "Path" attribute with a value of "/", and no "Domain" attribute.
If prefixSecurity is enabled for CookieJar, then cookies that match the prefixes defined above but do
not obey the attribute restrictions are not added.
You can define this functionality by passing in the prefixSecurity option to CookieJar. It can be one of 3 values:
silent: (default) Enable cookie prefix checking but silently fail to add the cookie if conditions are not met.strict: Enable cookie prefix checking and error out if conditions are not met.unsafe-disabled: Disable cookie prefix checking.
If
ignoreErroris passed in astruewhen setting a cookie then the error is silent regardless of theprefixSecurityoption (assuming it's enabled).
Example
1import { CookieJar, MemoryCookieStore } from 'tough-cookie' 2 3const cookieJar = new CookieJar(new MemoryCookieStore(), { 4 prefixSecurity: 'silent', 5}) 6 7// this cookie will be silently ignored since the url is insecure (http) 8await cookieJar.setCookie( 9 '__Secure-SID=12345; Domain=example.com; Secure;', 10 'http://example.com', 11) 12 13// this cookie will be stored since the url is secure (https) 14await cookieJar.setCookie( 15 '__Secure-SID=12345; Domain=example.com; Secure;', 16 'https://example.com', 17)
[!NOTE] It is highly recommended that you read RFC6265bis - Section 4.1.3 for more details on Cookie Prefixes.
Node.js Version Support
We follow the Node.js release schedule and support all versions that are in Active LTS or Maintenance. We will always do a major release when dropping support for older versions of node, and we will do so in consultation with our community.
High
7.5/10
Summary
Regular Expression Denial of Service in tough-cookie
Affected Versions
< 2.3.3
Patched Versions
2.3.3
Moderate
6.5/10
Summary
tough-cookie Prototype Pollution vulnerability
Affected Versions
< 4.1.3
Patched Versions
4.1.3
Moderate
5.3/10
Summary
ReDoS via long string of semicolons in tough-cookie
Affected Versions
< 2.3.0
Patched Versions
2.3.0
Reason
all changesets reviewed
Reason
no dangerous workflow patterns detected
Reason
13 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: BSD 3-Clause "New" or "Revised" License: LICENSE:0
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
- Info: Found text in security policy: SECURITY.md:1
Reason
1 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yaml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/publish.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yaml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/publish.yaml/master?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/integration.yaml:52
- Warn: npmCommand not pinned by hash: .github/workflows/integration.yaml:53
- Warn: npmCommand not pinned by hash: .github/workflows/integration.yaml:88
- Info: 0 out of 14 GitHub-owned GitHubAction dependencies pinned
- Info: 8 out of 11 npmCommand dependencies pinned
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yaml:9
- Info: topLevel 'contents' permission set to 'read': .github/workflows/integration.yaml:10
- Info: topLevel 'contents' permission set to 'read': .github/workflows/publish.yaml:8
- Warn: no topLevel permission defined: .github/workflows/slonser.yaml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 30 are checked with a SAST tool
Score
6.6
/10
Last Scanned on 2025-06-23
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More