cookie-parser

Express.js middleware that parses Cookie headers and populates req.cookies with an object of cookie name-value pairs. Supports signed cookies (HMAC-SHA256 via a secret) with req.signedCookies for tamper detection. Part of the expressjs GitHub organization. The standard way to read cookies in Express applications — used alongside express-session or directly for stateless cookie-based auth.

Evaluated Mar 06, 2026 (0d ago) v1.x

Homepage ↗ Repo ↗ Developer Tools cookies express middleware node http session auth

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

100

Rate Limits

100

🔒 Security

TLS Enforcement

100

Auth Strength

Scope Granularity

Dep. Hygiene

Secret Handling

Signed cookies provide tamper detection but not confidentiality. Cookies should be sent with HttpOnly and Secure flags. HMAC signing secret must be kept secure.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

You need to read cookies in an Express.js application — specifically for session cookies, auth tokens in cookies, or any cookie-based client state.

Avoid When

You're using a framework with built-in cookie handling (Next.js, Fastify, Hono), or you're using JWT in Authorization headers instead of cookies.

Use Cases

• Read HTTP cookies sent by the browser in Express.js request handlers via req.cookies.cookieName
• Implement signed cookies for tamper-evident client-side data storage using cookieParser(secret) with req.signedCookies
• Support cookie-based authentication tokens by reading auth cookies set by the login endpoint
• Read session cookies that reference server-side session data when using express-session
• Access preferences stored in browser cookies (theme, language, user settings) in Express route handlers

Not For

• Session management — use express-session for full session management (cookie-parser is just the parser)
• Setting cookies — use res.cookie() in Express directly; cookie-parser only reads incoming cookies
• JWT handling in Authorization headers — use passport-jwt or custom middleware for Bearer token auth

Interface

REST API

GraphQL

gRPC

MCP Server

SDK

Yes

Webhooks

Authentication

Methods: none

OAuth: No Scopes: No

No auth itself — cookie parser middleware. Signed cookies use HMAC secret for tamper detection but are not encrypted.

Pricing

Model: open_source

Free tier: Yes

Requires CC: No

Fully free, MIT licensed.

Agent Metadata

Pagination

none

Idempotent

Full

Retry Guidance

Not documented

Known Gotchas

⚠ Signed cookies: req.signedCookies returns false for tampered cookies (not an error) — always check for false explicitly, not just falsy
⚠ Cookies are only parsed if cookie-parser is registered as middleware — if req.cookies is undefined, cookie-parser was not applied to the route
⚠ Cookie secret is for signing only (HMAC), not encryption — signed cookies are still readable but tamper-evident; don't store sensitive data in cookies without encryption
⚠ req.cookies is populated with all cookies regardless of domain/path matching — filtering by cookie attribute is the developer's responsibility
⚠ body-parser and cookie-parser are separate middlewares — both needed in most Express apps; missing one or the other causes req.body or req.cookies to be undefined
⚠ SameSite cookie attribute is set via res.cookie() options, not cookie-parser — cookie-parser reads what's sent, res.cookie() controls what security attributes are set

Alternatives

express-session-api js-cookie-api tough-cookie-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for cookie-parser.

$99

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.