✦ Preferences saved

Tyrus · free cookie scanner

DO YOU KNOW WHAT YOUR WEBSITE IS TRACKING?

Find out what cookies and trackers a public website exposes in HTTP and HTML. Deep static crawl (up to 50 pages), 70+ tracker signatures, cookie Secure/HttpOnly/SameSite, consent-banner markup, privacy-policy checks, CSP review — clear Tyrus report in under two minutes.

Only public pages on the same host (up to 50 URLs). Report link expires in about 1 hour. Static scan — no JavaScript execution. Educational overview, not legal advice.

Static scan only: no JavaScript execution and no consent-banner clicks. Results are stored temporarily (~1 hour) for the session link. Not legal advice. By scanning you accept responsible use: polite automated requests to public pages only (same as other cookie checkers).

  • Deep static scan
  • Up to 50 pages
  • 70+ tracker patterns
  • Download HTML report
  • Cookie flags & CSP

What the deep scanner checks

  • Smart multi-page crawl: Homepage, robots.txt, recursive sitemap, priority paths (privacy, cookies, terms, login, checkout) — up to 50 same-host pages with a shared cookie jar.
  • 70+ tracker inventory: GTM, GA4, Meta, Hotjar, TikTok, Criteo, Taboola, Segment, Tealium, Adobe, chat widgets and more — from HTML and script URLs.
  • Cookie attributes: Set-Cookie parsed for Secure, HttpOnly, SameSite, domain, path and expiry — with flag warnings in findings.
  • Consent & CMP markup: Common CMP signatures in HTML — plus reject button, granular toggles and privacy-link signals.
  • Privacy, security & tech: Policy page fetch, CSP deep analysis, merged security headers, mixed content, embeds, Google Fonts, WordPress/Shopify/Next.js detection.

Engine capabilities (static, no browser)

Everything below runs on shared hosting — no Playwright, no headless Chrome.

50-page smart crawl

Sitemap recursion, footer links, priority legal paths.

70+ tracker regex

Ads, analytics, tag managers, chat, A/B tools.

Cookie jar + flags

Sequential fetches keep session cookies; attributes parsed.

Consent markup audit

Reject control, categories, dark-pattern hints.

Privacy policy fetch

Discovers and reads policy/cookie pages for key GDPR phrases.

CSP & headers

unsafe-inline/eval, wildcards, Permissions-Policy.

External resources

Mixed content, embeds, Google Fonts on HTTPS pages.

Tech fingerprint

CMS and framework signals from HTML/headers.

How it works

Server-side PHP maps everything visible in HTTP responses and HTML source — then groups severity-ranked findings with recommendations for GDPR-oriented review.

1

Enter website URL

Type any public HTTPS address. The URL is normalized; the crawl starts from the homepage.

2

Detect & classify

The engine crawls with a cookie jar, classifies 70+ tracker patterns, parses cookie flags, analyzes consent markup, fetches policy pages and merges security headers across pages.

3

Actionable report

Severity summary, top urgent items, score, tables and limits — ready to download or forward to developers and privacy leads.

Why use this scanner?

See the full picture

Stop guessing which tags and cookies exist on your public pages.

GDPR-oriented context

Understand what may need consent before legal review or CMP implementation.

Independent & clean

Built by Tyrus — no third-party widgets on this tool page.

Shareable output

Download a self-contained HTML report for stakeholders.

What this scan cannot verify

Honest boundaries — the report lists these explicitly. For proof after Accept/Reject with HAR evidence, use the professional Playwright audit.

  • No JavaScript execution — tags loaded only after JS will not appear.
  • No consent-banner clicks — cannot test pre vs post consent behavior.
  • No HAR or network waterfall — only HTML and response headers.
  • No post-JS cookies or localStorage/sessionStorage dumps.
  • No iframe or subresource deep audit beyond markup references.
  • No legal compliance verdict — technical visibility only.
  • Consent analysis is markup-only (banner HTML, not interaction).
  • Real browser audit (Accept/Reject/HAR) is a separate professional service.

Free scan vs professional audit

Best free deep static overview on shared hosting. For consent-phase proof, choose the Playwright audit.

Free web scanner

  • Up to 50 pages, same host, cookie jar
  • 70+ trackers, cookie flags, CMP markup
  • Privacy pages, CSP deep, security headers
  • Severity findings + HTML download
  • DNS validation & live progress
  • No JavaScript execution
  • No pre/post consent clicks or HAR

Professional audit (Tyrus)

  • Real browser (Chromium)
  • Pre-consent vs Accept vs Reject
  • HAR, storage dumps, screenshots
  • Legal review options (partner)
Request full audit →

Frequently asked questions

What is a website cookie scanner?

It scans public pages to list cookies, scripts and tracking patterns in the HTML and HTTP headers — the first step toward privacy compliance and consent design.

How is this different from other free cookie checkers?

This Tyrus scanner is independent: multi-page crawl on the same host, robots.txt, sitemap, TLS and security headers, cookie flags, and a downloadable HTML report — no vendor lock-in. Many vendor checkers only inspect one page or promote their own CMP product. Neither replaces a real-browser consent test (Accept/Reject/HAR).

Does the scan make my site GDPR compliant?

No tool can guarantee compliance. The scan surfaces technical signals; legal assessment belongs with the site owner and advisors.

Why is JavaScript not executed?

Running JS in the cloud would need headless browsers (heavy and costly on shared hosting). The professional Tyrus audit (desktop Playwright) delivers that with HAR evidence and optional legal review via Jurist-Tiru.

How long does a scan take?

Most sites finish in 15–90 seconds depending on size. You see a live progress bar (percentage and step) while the server crawls — similar to performance tools — then land on the full report.

Can this replace a paid CMP or a legal audit?

No. It is an independent static reconnaissance tool — broader than many one-page checkers, but it does not click Accept/Reject, run JavaScript, or issue legal opinions. Use it to prepare questions for your CMP vendor or legal advisor.

Need Accept/Reject phases, HAR files and legal review on the report?

Professional GDPR services →