Home/ Glossary/ SameSite Cookie Attribute

SameSite Cookie Attribute (SameSite Cookies)

Security Glossary - Web Security

Definition: The SameSite cookie attribute controls when cookies are sent with cross-site requests. SameSite=Strict only sends the cookie with same-site requests. SameSite=Lax sends it with same-site requests and top-level navigations (like clicking a link). SameSite=None sends it with all requests (requires the Secure flag).

Why SameSite Cookies Is Important

SameSite is the most effective defense against CSRF attacks. When set to Strict or Lax, the browser will not include the cookie in requests initiated by other sites, preventing attackers from making authenticated requests on behalf of users.

Chrome defaulted to SameSite=Lax for cookies without an explicit SameSite attribute starting in 2020. This was a major security improvement that broke some cross-site authentication flows but significantly reduced CSRF vulnerability across the web.

SameSite=Strict is the most secure but can cause usability issues. If a user clicks a link to your site from an external page, cookies are not sent on the initial navigation, so the user appears logged out. SameSite=Lax is the recommended default because it allows cookies on top-level navigations (preserving login state) while blocking them on cross-site form submissions and AJAX requests.

How to Check

A security audit checks the SameSite attribute on your cookies. Session cookies should have SameSite=Lax or SameSite=Strict. If you need cross-site cookie sending (for third-party integrations), use SameSite=None with the Secure flag.

See how your site handles SameSite Cookies

Run a Security Audit

Common Questions About SameSite Cookies

Should I use SameSite=Strict or SameSite=Lax?
Lax is recommended for most session cookies. It prevents CSRF while preserving login state when users navigate to your site from external links. Strict is better for highly sensitive operations (like banking) where you can accept the usability tradeoff.
What does SameSite=None do?
SameSite=None disables SameSite protection, allowing the cookie to be sent with all cross-site requests. This is needed for legitimate cross-site use cases like third-party widgets or federated login. It requires the Secure flag (HTTPS only) and should be used sparingly.

See Also

Cookie Security Flags Cross-Site Request Forgery Secure Cookie Flag HttpOnly Cookie Flag Cross-Origin Resource Sharing
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.