Cookie Policy

token — set on login/registration. Contains a cryptographically random session identifier. The raw token is never stored on our servers; only its SHA-256 hash is stored in the database. The cookie is:

• HttpOnly: JavaScript cannot read it (prevents XSS theft).

• Secure (production): only sent over HTTPS.

• SameSite=Lax: not sent on cross-site requests initiated by third parties.

cc.csrf — set when you first visit. Used by our double-submit CSRF protection scheme. It contains a cryptographically random token that must be echoed in the X-CSRF-Token request header for all POST/PATCH/DELETE operations. The cookie is:

• HttpOnly: unreadable by JavaScript (the CSRF token value is separately delivered via a JSON endpoint to the page script).

• Secure (production): only sent over HTTPS.

• SameSite=Strict (production): never sent cross-site.

CordCat does not use:

• Advertising or marketing cookies.

• Analytics cookies (no Google Analytics, Hotjar, Mixpanel, etc.).

• Social media tracking pixels.

• Any third-party cookies whatsoever.

We run entirely on first-party, strictly necessary cookies. No cookie consent banner is required because we have no non-essential cookies.

You can clear, block, or manage cookies through your browser settings. Note that deleting the token cookie will log you out. The CSRF cookie is regenerated automatically on your next visit.

Browser-specific instructions:

• Google Chrome

• Mozilla Firefox

• Apple Safari

• Microsoft Edge

Cookie or privacy questions: [email protected]