In this lesson, we'll study host-only cookies.

When a server does not include a Domain directive the cookie is to be considered host-only, meaning that its validity is restricted to the current domain only.

This is a sort of default behavior from browsers when they receive a cookie that does not have a Domain set. You can find a small example I wrote at It’s a simple web app that sets cookies based on URL parameters, and prints cookies on the page, through some JavaScript code.

  <div id="output"/ >
    let content = "none";

    if (document.cookie) {
      let cookies = document.cookie.split(';')
      content = ''

      cookies.forEach(c => {
        content += "<p><code>" + c + "</code></p>"

    document.getElementById('output').innerHTML = "Cookies on this document: <div>" + content + "</div>"

If you follow the instructions in the README you will be able to access a webserver at wasec.local:7888, which illustrates how host-only cookies work.

Get hands-on with 1200+ tech skills courses.