diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..99799b2
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,4 @@
+# Force LF line endings for all text files.
+# Prevents gofmt/gofumpt/goimports CRLF false positives on Windows CI.
+# See: golangci/golangci-lint#580, golang/go#16355
+* text=auto eol=lf
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 1295d87..ffd537b 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -11,8 +11,11 @@ permissions:
 
 jobs:
   lint:
-    name: Lint
-    runs-on: ubuntu-latest
+    name: Lint (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
     steps:
       - uses: actions/checkout@v5
 
@@ -21,6 +24,7 @@ jobs:
           go-version-file: go.mod
 
       - name: Check spelling
+        if: matrix.os == 'ubuntu-latest'
         uses: crate-ci/typos@master
         with:
           config: ./.typos.toml
diff --git a/.gitignore b/.gitignore
index cc6f4d6..7802907 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,6 +12,7 @@
 !go.sum
 
 # === Project root config ===
+!.gitattributes
 !.gitignore
 !.golangci.yml
 !.goreleaser.yml
diff --git a/browser/chromium/decrypt_test.go b/browser/chromium/decrypt_test.go
new file mode 100644
index 0000000..b0cc89d
--- /dev/null
+++ b/browser/chromium/decrypt_test.go
@@ -0,0 +1,64 @@
+//go:build darwin || linux
+
+package chromium
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/moond4rk/hackbrowserdata/crypto"
+)
+
+// testCBCIV is the fixed IV Chrome uses on macOS/Linux (16 space bytes).
+var testCBCIV = bytes.Repeat([]byte{0x20}, 16)
+
+func TestDecryptValue_V10(t *testing.T) {
+	plaintext := []byte("test_secret_value")
+	encrypted, err := crypto.AES128CBCEncrypt(testAESKey, testCBCIV, plaintext)
+	require.NoError(t, err)
+	v10Ciphertext := append([]byte("v10"), encrypted...)
+
+	tests := []struct {
+		name       string
+		key        []byte
+		want       []byte
+		wantErrMsg string // empty = no error expected
+	}{
+		{
+			name: "decrypts correctly",
+			key:  testAESKey,
+			want: plaintext,
+		},
+		{
+			name:       "wrong key returns padding error",
+			key:        []byte("wrong_key_1234!!"),
+			wantErrMsg: "pkcs5UnPadding",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := decryptValue(tt.key, v10Ciphertext)
+			if tt.wantErrMsg != "" {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tt.wantErrMsg)
+				assert.Nil(t, got)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestDecryptValue_V20(t *testing.T) {
+	// v20 App-Bound Encryption is not yet implemented.
+	// TODO: add successful decryption cases when implemented.
+	ciphertext := append([]byte("v20"), make([]byte, 32)...)
+	_, err := decryptValue(nil, ciphertext)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "v20")
+}
diff --git a/browser/chromium/decrypt_windows_test.go b/browser/chromium/decrypt_windows_test.go
new file mode 100644
index 0000000..6e92dc5
--- /dev/null
+++ b/browser/chromium/decrypt_windows_test.go
@@ -0,0 +1,83 @@
+//go:build windows
+
+package chromium
+
+import (
+	"fmt"
+	"syscall"
+	"testing"
+	"unsafe"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/moond4rk/hackbrowserdata/crypto"
+)
+
+// encryptWithDPAPI encrypts data using Windows DPAPI (CryptProtectData).
+// This is the reverse of crypto.DecryptWithDPAPI, used only for testing.
+func encryptWithDPAPI(plaintext []byte) ([]byte, error) {
+	crypt32 := syscall.NewLazyDLL("Crypt32.dll")
+	kernel32 := syscall.NewLazyDLL("Kernel32.dll")
+	protectDataProc := crypt32.NewProc("CryptProtectData")
+	localFreeProc := kernel32.NewProc("LocalFree")
+
+	var inBlob struct {
+		cbData uint32
+		pbData *byte
+	}
+	inBlob.cbData = uint32(len(plaintext))
+	if len(plaintext) > 0 {
+		inBlob.pbData = &plaintext[0]
+	}
+
+	var outBlob struct {
+		cbData uint32
+		pbData *byte
+	}
+
+	r, _, err := protectDataProc.Call(
+		uintptr(unsafe.Pointer(&inBlob)),
+		0, 0, 0, 0, 0,
+		uintptr(unsafe.Pointer(&outBlob)),
+	)
+	if r == 0 {
+		return nil, fmt.Errorf("CryptProtectData failed: %w", err)
+	}
+	defer localFreeProc.Call(uintptr(unsafe.Pointer(outBlob.pbData)))
+
+	size := int(outBlob.cbData)
+	result := make([]byte, size)
+	copy(result, (*[1 << 30]byte)(unsafe.Pointer(outBlob.pbData))[:size])
+	return result, nil
+}
+
+func TestDecryptValue_V10_Windows(t *testing.T) {
+	// Windows uses AES-GCM for v10 (not AES-CBC like macOS/Linux)
+	plaintext := []byte("test_secret_value")
+	nonce := []byte("123456789012") // 12-byte nonce
+
+	encrypted, err := crypto.AESGCMEncrypt(testAESKey, nonce, plaintext)
+	require.NoError(t, err)
+
+	// v10 format on Windows: "v10" + nonce(12) + encrypted
+	ciphertext := append([]byte("v10"), append(nonce, encrypted...)...)
+
+	got, err := decryptValue(testAESKey, ciphertext)
+	require.NoError(t, err)
+	assert.Equal(t, plaintext, got)
+}
+
+func TestDecryptValue_DPAPI_Windows(t *testing.T) {
+	// Round-trip: encrypt with CryptProtectData, decrypt with decryptValue
+	plaintext := []byte("dpapi_test_secret")
+
+	encrypted, err := encryptWithDPAPI(plaintext)
+	require.NoError(t, err)
+	require.NotEmpty(t, encrypted)
+
+	// No v10/v20 prefix → decryptValue routes to DPAPI path
+	got, err := decryptValue(nil, encrypted)
+	require.NoError(t, err)
+	assert.Equal(t, plaintext, got)
+}
diff --git a/browser/chromium/extract_cookie.go b/browser/chromium/extract_cookie.go
index 7995c46..76e1f14 100644
--- a/browser/chromium/extract_cookie.go
+++ b/browser/chromium/extract_cookie.go
@@ -1,6 +1,8 @@
 package chromium
 
 import (
+	"bytes"
+	"crypto/sha256"
 	"database/sql"
 	"sort"
 
@@ -30,6 +32,7 @@ func extractCookies(masterKey []byte, path string) ([]types.CookieEntry, error)
 			}
 
 			value, _ := decryptValue(masterKey, encryptedValue)
+			value = stripCookieHash(value, host)
 			return types.CookieEntry{
 				Name:       name,
 				Host:       host,
@@ -50,3 +53,19 @@ func extractCookies(masterKey []byte, path string) ([]types.CookieEntry, error)
 	})
 	return cookies, nil
 }
+
+// stripCookieHash removes the SHA256(host_key) prefix from a decrypted cookie value.
+// Chrome 130+ (Cookie DB schema version 24) prepends SHA256(domain) to the cookie
+// value before encryption to prevent cross-domain cookie replay attacks.
+// If the first 32 bytes don't match SHA256(hostKey), the value is returned unchanged,
+// which handles both older Chrome versions and tampered data.
+func stripCookieHash(value []byte, hostKey string) []byte {
+	if len(value) < sha256.Size {
+		return value
+	}
+	hash := sha256.Sum256([]byte(hostKey))
+	if bytes.Equal(value[:sha256.Size], hash[:]) {
+		return value[sha256.Size:] // empty slice if value was exactly 32 bytes
+	}
+	return value
+}
diff --git a/browser/chromium/extract_cookie_test.go b/browser/chromium/extract_cookie_test.go
index 333d9fc..81dda90 100644
--- a/browser/chromium/extract_cookie_test.go
+++ b/browser/chromium/extract_cookie_test.go
@@ -1,6 +1,7 @@
 package chromium
 
 import (
+	"crypto/sha256"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -25,11 +26,63 @@ func TestExtractCookies(t *testing.T) {
 	assert.Equal(t, "token", got[0].Name)
 	assert.Equal(t, "/api", got[0].Path)
 	assert.True(t, got[0].IsSecure)
-	assert.False(t, got[0].IsHTTPOnly) // httpOnly=0
+	assert.False(t, got[0].IsHTTPOnly)
 	assert.False(t, got[0].CreatedAt.IsZero())
-	assert.False(t, got[0].ExpireAt.IsZero())
 	assert.True(t, got[0].ExpireAt.After(got[0].CreatedAt))
-
-	// Verify second cookie flags
-	assert.True(t, got[1].IsHTTPOnly) // httpOnly=1
+	assert.True(t, got[1].IsHTTPOnly)
+}
+
+func TestStripCookieHash(t *testing.T) {
+	googleHash := sha256.Sum256([]byte(".google.com"))
+	shopifyHash := sha256.Sum256([]byte(".shopify.com"))
+
+	tests := []struct {
+		name    string
+		value   []byte
+		hostKey string
+		want    string
+	}{
+		{
+			name:    "Chrome 130+ strips SHA256 prefix",
+			value:   append(googleHash[:], []byte("GA1.3.240937927.1770097858")...),
+			hostKey: ".google.com",
+			want:    "GA1.3.240937927.1770097858",
+		},
+		{
+			name:    "Chrome 130+ empty original value",
+			value:   shopifyHash[:],
+			hostKey: ".shopify.com",
+			want:    "",
+		},
+		{
+			name:    "older Chrome no prefix",
+			value:   []byte("plain_cookie_value"),
+			hostKey: ".example.com",
+			want:    "plain_cookie_value",
+		},
+		{
+			name:    "short value unchanged",
+			value:   []byte("short"),
+			hostKey: ".example.com",
+			want:    "short",
+		},
+		{
+			name:    "host mismatch not stripped",
+			value:   append(googleHash[:], []byte("value")...),
+			hostKey: ".other.com",
+			want:    string(append(googleHash[:], []byte("value")...)),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := stripCookieHash(tt.value, tt.hostKey)
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
+
+func TestStripCookieHash_NilValue(t *testing.T) {
+	got := stripCookieHash(nil, ".example.com")
+	assert.Nil(t, got)
 }
diff --git a/browser/chromium/testutil_test.go b/browser/chromium/testutil_test.go
index d2bd1cc..425fd56 100644
--- a/browser/chromium/testutil_test.go
+++ b/browser/chromium/testutil_test.go
@@ -12,6 +12,14 @@ import (
 	_ "modernc.org/sqlite"
 )
 
+// ---------------------------------------------------------------------------
+// Shared test constants for Chromium encryption.
+// Reusable across decrypt, cookie, password, and creditcard tests.
+// ---------------------------------------------------------------------------
+
+// testAESKey is a 16-byte AES-128 key for constructing test ciphertext.
+var testAESKey = []byte("0123456789abcdef")
+
 // ---------------------------------------------------------------------------
 // Real Chrome table schemas — extracted via `sqlite3 <db> ".schema <table>"`.
 // Using complete schemas ensures our SQL queries work against real browser data.
diff --git a/crypto/keyretriever/params.go b/crypto/keyretriever/params.go
index fc7ff14..66e33e8 100644
--- a/crypto/keyretriever/params.go
+++ b/crypto/keyretriever/params.go
@@ -1,3 +1,5 @@
+//go:build darwin || linux
+
 package keyretriever
 
 import (
diff --git a/filemanager/copy_windows.go b/filemanager/copy_windows.go
index b36ac8d..f6010b2 100644
--- a/filemanager/copy_windows.go
+++ b/filemanager/copy_windows.go
@@ -127,7 +127,7 @@ func findFileHandle(targetPath string) (windows.Handle, error) {
 			0, false,
 			windows.DUPLICATE_SAME_ACCESS,
 		)
-		windows.CloseHandle(process)
+		_ = windows.CloseHandle(process)
 		if err != nil {
 			continue
 		}
@@ -135,21 +135,21 @@ func findFileHandle(targetPath string) (windows.Handle, error) {
 		// Verify it's a disk file (not a pipe, device, etc.)
 		fileType, _, _ := procGetFileType.Call(uintptr(dupHandle))
 		if fileType != fileTypeDisk {
-			windows.CloseHandle(dupHandle)
+			_ = windows.CloseHandle(dupHandle)
 			continue
 		}
 
 		// Get the file path and check if it matches our target
 		name, err := getFinalPathName(dupHandle)
 		if err != nil {
-			windows.CloseHandle(dupHandle)
+			_ = windows.CloseHandle(dupHandle)
 			continue
 		}
 
 		if strings.HasSuffix(strings.ToLower(name), targetSuffix) {
 			return dupHandle, nil
 		}
-		windows.CloseHandle(dupHandle)
+		_ = windows.CloseHandle(dupHandle)
 	}
 
 	return 0, fmt.Errorf("no process has file open: %s", targetPath)