SameSite Cookie
What is SameSite Cookie?
SameSite CookieA cookie attribute that controls whether browsers attach the cookie on cross-site requests, with values Strict, Lax and None, used primarily to mitigate CSRF.
The 'SameSite' attribute on a 'Set-Cookie' header tells the browser when the cookie may be sent on requests originating from another site. 'Strict' withholds the cookie on all cross-site navigation and sub-requests, 'Lax' (now the default in most browsers) sends it only on top-level GET navigations, and 'None' allows it on every context but requires 'Secure'. Setting cookies to 'Lax' or 'Strict' is one of the most effective mitigations against Cross-Site Request Forgery and reduces tracking surface. Authentication and session cookies should generally use 'Lax' (or 'Strict' for sensitive flows), combined with 'HttpOnly' and 'Secure' flags and explicit CSRF tokens for state-changing requests.
● Examples
- 01
'Set-Cookie: session=abc; Secure; HttpOnly; SameSite=Lax; Path=/'.
- 02
Embedded payment iframe requires 'SameSite=None; Secure' so the cookie is sent in the cross-site context.
● Frequently asked questions
What is SameSite Cookie?
A cookie attribute that controls whether browsers attach the cookie on cross-site requests, with values Strict, Lax and None, used primarily to mitigate CSRF. It belongs to the Application Security category of cybersecurity.
What does SameSite Cookie mean?
A cookie attribute that controls whether browsers attach the cookie on cross-site requests, with values Strict, Lax and None, used primarily to mitigate CSRF.
How do you defend against SameSite Cookie?
Defences for SameSite Cookie typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SameSite Cookie?
Common alternative names include: SameSite attribute.