Following on from the header updates, I’ve also had to refactor the Cookie Scanner. With the final nail in the coffin for unpartitioned third-party cookies in 2026, the way we audit cookies had to change.

If you’re running embedded widgets—like support chats, maps, or auth providers—that rely on cross-site state, the old way of doing things is officially broken. I’ve updated our scanning engine to look for the new standards, specifically CHIPS. Here are some notes on what to look out for.

The CHIPS Protocol (Partitioned Cookies)

This is the big one. Since browsers now block standard third-party cookies to prevent tracking, the “Privacy Sandbox” introduced CHIPS (Cookies Having Independent Partitioned State).

The scanner now checks for the Partitioned attribute. If you’re using SameSite=None but haven’t added Partitioned, the browser is just going to ignore that cookie entirely in a cross-site context. I’ve added a fairly heavy penalty for this because it’s a functional failure—your widget just won’t work for the user.

Updated Logic & Scoring

I’ve kept the core checks for Secure and HttpOnly, but I’ve tweaked the scoring to be a bit more “2026-aware”:

  • Secure: This is non-negotiable now. If it’s missing, it’s an immediate fail.
  • SameSite: I’ve set the baseline to Lax, but the scanner will nudge you toward Strict for first-party session cookies.
  • Partitioned: As mentioned, if you’re going cross-site (SameSite=None), you must have the Partitioned flag.

I’ve also added some better debug logging to the scanner (using a new trait I put together) so I can see exactly why a specific cookie is losing points during my own testing.

Implementation Guide

If you need to get your cookies back into the green, here is how you handle the new Partitioned attribute in a couple of common environments.

1. Laravel (PHP)

If you’re manually queuing cookies in Laravel, you’ll need to ensure the tenth parameter is set to true for partitioned cookies. It’s a bit long-winded, but it works.

// Example: Creating a 2026-compliant cross-site cookie
use Illuminate\Support\Facades\Cookie;

Cookie::queue(
    'widget_session', 
    'session_value', 
    60, 
    '/', 
    null, 
    true,  // Secure
    true,  // HttpOnly
    false, 
    'None', // SameSite
    true   // Partitioned (CHIPS)
);

2. Nginx Proxy Fix

If you have a legacy backend you can’t touch, you can use Nginx to “patch” the cookies as they fly past. This snippet appends the Partitioned attribute to any Set-Cookie header that uses SameSite=None.

proxy_pass_header Set-Cookie;

map $upstream_http_set_cookie $modified_cookie {
    ~*SameSite=None "(.*)(?=;)|(.*)" "$1$2; Partitioned";
    default $upstream_http_set_cookie;
}

add_header Set-Cookie $modified_cookie always;

3. Apache (.htaccess) Implementation

If you’re on Apache, you can use mod_headers to patch your cookies. This is especially useful if you have a legacy application that doesn’t support the Partitioned attribute natively.


    # 1. Force Secure and HttpOnly on all cookies
    Header edit Set-Cookie ^(.*)$ "$1; Secure; HttpOnly; SameSite=Lax"

    # 2. Specifically patch cross-site cookies for 2026 CHIPS compliance
    # This regex looks for cookies already set to SameSite=None and appends Partitioned
    Header edit Set-Cookie "^(.*SameSite=None)(.*)$" "$1$2; Partitioned"

A quick note: Be careful with the Header edit command. If your app is already sending these flags, you might end up with “Secure; Secure” in the header. It’s always worth running a quick scan to make sure the final output looks clean.

Hopefully, that’s useful and keeps your SiteVitals scores green until everything changes again!

Getting these Partitioned flags right can be a bit of a headache, especially when you’re dealing with different subdomains or legacy backends. If you want to make sure your cookies are actually compliant with the 2026 standards (and more importantly, that they aren’t being blocked by the browser), feel free to run a quick test on your site.

I’ve updated the SiteVitals Free Scanner to specifically check for CHIPS compliance and secure session handling. It’s a lot faster than manually checking the Application tab in DevTools for every single cookie.

Check your cookie compliance: Free Website Security Scan →