SameSite Cookie Attribute
A cookie attribute that controls whether cookies are sent with cross-site requests, providing built-in CSRF protection.
Description
The SameSite cookie attribute is a browser security mechanism that controls when cookies are included in cross-site requests. Introduced to combat CSRF attacks, it provides three modes: Strict, which never sends the cookie with any cross-site request; Lax, which sends the cookie only with top-level navigations using safe HTTP methods (GET); and None, which sends the cookie with all cross-site requests but requires the Secure flag. Most modern browsers default to Lax when no SameSite attribute is specified.
SameSite=Strict provides the strongest protection but can impact user experience -- for example, a user clicking a link to your site from an email or external page won't have their session cookie sent, requiring them to log in again. SameSite=Lax is generally the recommended default because it allows cookies on top-level GET navigations (so links from external sites work) while blocking cookies on cross-site POST requests, form submissions from other origins, and resource loads embedded in other sites.
SameSite=None is necessary for legitimate cross-site use cases such as third-party embeds, widgets, single sign-on flows, and cross-site API calls that require authentication. When using None, the Secure flag is mandatory (browsers reject SameSite=None without Secure). Organizations should audit their cookies to identify which truly need None and apply Strict or Lax to all others. Note that SameSite alone is not a complete CSRF defense -- it should be combined with CSRF tokens for defense in depth.
Prompt Snippet
Set SameSite=Lax as the default for all session and authentication cookies to prevent CSRF while preserving top-level navigation flows. Use SameSite=Strict for highly sensitive cookies (banking operations, account settings tokens) where cross-site navigation loss is acceptable. Reserve SameSite=None only for cookies that genuinely require cross-site delivery (OAuth/SSO flows, embedded widgets), and always pair None with the Secure flag. When migrating legacy cookies to SameSite, deploy the SameSite-by-default-cookies Chrome flag in testing and audit cross-site flows using the Application tab in DevTools to identify breakage.
Tags
Related Terms
CSRF (Cross-Site Request Forgery) Protection
Mechanisms to prevent unauthorized commands from being transmitted from a user that the web application trusts.
Secure Cookie Configuration
Properly configuring cookie attributes to prevent theft, tampering, and misuse of session and authentication cookies.
HttpOnly & Secure Flags
Cookie attributes that prevent JavaScript access (HttpOnly) and restrict transmission to HTTPS (Secure), protecting against XSS and network interception.