Privacy and security panel

Kayce Basques
Kayce Basques
Sofia Emelianova
Sofia Emelianova

Use thePrivacy and security panel in Chrome DevTools to inspect and control third-party cookies and check HTTPS protection.

Overview

ThePrivacy and security panel is divided into two corresponding sections:

  • Privacy, where you can:
    • While DevTools is open, temporarily limit third-party cookies with or without exceptions and test how a website behaves.
    • See a table with information on third-party cookies, including whether they were blocked or exempted by the temporary limit mode, and what type of cookies may be impacted.

  • Security, where you can see your page's origins that includes HTTP security warnings, origin details and certificates.

    SeeWhy HTTPS Matters to learn why every website should be protected with HTTPS, even sites that don't handle sensitive user data.

Open the 'Privacy and security' panel

To open theSecurity panel, follow these steps:

  1. Open DevTools.
  2. Open theCommand menu by pressing:
    • macOS:Command+Shift+P
    • Windows, Linux, ChromeOS:Control+Shift+P

  3. Start typingprivacy, selectShow privacy and security, and pressEnter.

    The 'Privacy and security' panel.

Alternatively, in the top right corner, selectCustomize and control DevTools >More tools >Privacy and security.

Privacy: Control and inspect third-party cookies

ThePrivacy section lets you inspect and limit third-party cookies while DevTools is open.

Limit third-party cookies

To test how a website behaves when third-party cookies are limited in Chrome, do the following:

  1. InPrivacy >Controls, turn onTemporarily limit third-party cookies.

  2. Turn on the following exceptions, if required:

    • Third-party cookie grace period. To use this option, enroll a site or a site embedded on it in thegrace period.
    • Heuristics based exception. Inpredefined scenarios like pop-ups or redirects, a site embedded on this site can access third-party cookies.

    Temporarily limiting third-party cookies with both exceptions enabled.

  3. To apply the changes, clickReload in a prompt at the top of DevTools.

You can now test how the website bahaves and inspect third-party cookies and their issues as described next.

Inspect third-party cookies

With third-party cookies temporarily limited (with or without exceptions), inspect them in thePrivacy >Third-party cookies section.

When no third-party cookies are found, you'll see theNot a crumb left message.

The 'Not a crumb left' message.

Alternatively, depending on exceptions, some third-party cookies may be allowed and others blocked. TheThird-party cookies section lists them in a table that includes information about cookie status and a recommendation.

To filter the table:

  • By status, select a status value at the top:All,Allowed, orBlocked.

    A table that lists allowed and blocked third-party cookies.

  • By name or domain, start typing a query into the filter box.

    Filtering the table using the filter box and status value.

To sort the table, click a column name.

Security: Find common problems

TheSecurity section of the panel may display issues described next.

Non-secure main origins

When the main origin of a page is not secure, theSecurity >Overview saysThis page is not secure.

A non-secure page.

This problem occurs when the URL that you visited was requested over HTTP. To make it secure youneed to request it over HTTPS. For example, if you look at the URL in your address bar, it probablylooks similar tohttp://example.com. To make it secure the URL should behttps://example.com.

If you've already got HTTPS set up on your server, all you need to do to fix this problem isconfigure your server to redirect all HTTP requests to HTTPS.

If you don't have HTTPS set up on your server,Let's Encrypt provides a free andrelatively-easy way to start the process. Or, you might consider hosting your site on a CDN. Mostmajor CDNs host sites on HTTPS by default now.

Tip: TheRedirect HTTP Traffic To HTTPS audit inLighthouse can help automate theprocess of making sure that all HTTP requests are redirected to HTTPS.

Broken HTTPS

If there's a problem with HTTPS, theSecurity >Overview tells you what went wrong.

A page with broken HTTPS.

In this case, the page is missing a valid certificate because it expired.

Mixed content

Mixed content means that the main origin of a page is secure, but the page interacts with resourcesfrom non-secure origins. Mixed content pages are only partially protected because the HTTP contentis accessible to sniffers and vulnerable to man-in-the-middle attacks.

Mixed content.

Open theSecurity >Non-secure origins section and clickView requests in Network panel.

The 'View requests in Network panel' button.

DevTools takes you to theNetwork panel and applies relevant filters so that the network log only shows non-secure resources.

Mixed resources in the network log.

View security details

You can view certificate and origin details as described next.

View main origin certificate

From theSecurity >Overview clickView certificate to quickly inspect the main origin'scertificate.

A main origin certificate.

View origin details

Click one of the entries in theSecurity section to view the origin's details. From the details pageyou can view connection and certificate information. Certificate transparency information is alsoshown when available.

Main origin details.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-02-27 UTC.