Cookie is live | Matthew Deaves

Cookie is a recipe app I built. It's now live at cookie.matthewdeaves.com for my own use. The source is on GitHub and there's a home hosting mode if you want to run your own copy. This is what it does and the work that went into making it ready for the 'sort of' open internet.

Cookie searches across a list of cooking sites and shows you results from all of them in one place. You can save the ones you like, get suggestions for what to cook tonight, and step through the recipe in a cooking mode with built-in timers when you're ready to make it.

There are also some optional AI features: ask it to remix a recipe to make it vegetarian, scale the ingredients up or down for different numbers of people, or get cooking tips for whatever you're making.

Cookie also works really well installed as a home-screen web app. On an iPhone or iPad, open the site in Safari and tap "Add to Home Screen"; on Android, Chrome's menu has an "Install app" option. You get an app icon, full-screen layout with no browser bars, and it behaves like a proper installed app.

A recipe page with ingredients and step-by-step instructions — Recipe page

Search results across multiple cooking websites — Search across cooking sites

Cooking mode showing a step with an active timer — Cooking mode with timer

An AI-remixed version of a recipe — AI recipe remix

#Signing in

There are no passwords. You sign in with a passkey, which is a digital key your phone or laptop generates and stores for you. Cookie never asks for your name or email. The account just gets a random string of letters and numbers as a username. The privacy policy lists everything that's stored.

I built it this way on purpose. I'd rather not be responsible for anyone's data.

There's also a version that works on really old iPads. Mine is a 2012 model that I keep in the kitchen. Those iPads are too old for passkeys, so they pair with a one-time code instead: you generate the code on a modern device and type it into the iPad.

Passkey management screen — Passkey management

The pair-a-device screen showing a one-time code — Pair an old iPad with a code

#Why I'm not opening it up

When you run a search, cookie scrapes data from a handful of cooking sites. I don't monetise anything and I don't let people share recipes around, but opening the live site to the whole world means those scrapes happen on my behalf for whoever turns up, which probably isn't a great idea.

If you want to play around with cookie, email me and I'll set you up with a one-time pairing code. Or run your own copy — the Quick Start (Production) section of the README pulls a prebuilt container from GitHub's registry, and it's three commands to a working install.

In the meantime, this does mean I can open-source the infrastructure-as-code project that runs cookie on AWS. That'll show the safeguards and tooling I've built up so Claude Code can act as my devops engineer on the live cookie site and the AWS infrastructure behind it. More to come on that.

#Path to live

The first version of cookie took three days back in January 2026. The next sixteen weeks were about getting it ready to run on the 'sort of' open internet.

A big piece of that was security testing. I had AI-driven tools (HexStrike, mainly) try to break into the app and tell me what they found. Each round turned up a handful of small problems and I fixed them.

Running HexStrike also showed me the admin area on the public site had too much attack surface. So for passkey mode (the version that runs on the open internet), I either removed features outright or pushed them to self-hosted mode only, where cookie runs on your own server. A few examples:

The old password-and-email sign-in (passkeys replaced it on the public site; the self-hosted home mode runs with no sign-in at all)
The "reset everything" button on the website (you can still reset, but only from a terminal)
The ability to fetch a recipe from any URL on the internet (now restricted to a small list of cooking sites I've vetted)