Home

samesite

SameSite is a cookie attribute used by web browsers to control whether a cookie is sent with cross-site requests. It is set in the Set-Cookie header as SameSite=value and works with other cookie attributes such as Secure and HttpOnly. The goal is to reduce the chances that a cookie is sent in contexts initiated by other sites, thereby lowering the risk of certain cross-site attacks such as CSRF (cross-site request forgery).

The attribute supports three values: Strict, Lax, and None. Strict means the cookie is sent only in

Compatibility and defaults: If a cookie omits the SameSite attribute, many browsers treat it as SameSite=Lax

History and impact: The SameSite attribute gained prominence in the 2010s as browsers standardized anti‑CSRF measures.

first‑party
contexts;
cross-site
requests
will
not
include
the
cookie.
Lax
allows
the
cookie
to
be
sent
for
top‑level
navigations
initiated
by
a
cross‑site
URL,
but
not
for
most
subresource
requests
like
images
or
iframes.
None
allows
the
cookie
to
be
sent
in
all
contexts,
including
cross‑site
requests,
but
it
requires
the
cookie
to
be
Secure
(transmitted
over
HTTPS)
in
modern
browsers.
by
default,
which
constrains
cross‑site
usage
unless
explicitly
overridden.
Developers
should
explicitly
set
SameSite
to
the
intended
value.
For
session
cookies
that
authenticate
a
user,
Lax
is
a
common
safe
default;
Strict
provides
stronger
protection
but
can
disrupt
certain
navigation
flows.
None
is
used
for
cross‑origin
use
cases
such
as
third‑party
widgets,
but
it
should
be
paired
with
additional
CSRF
protections.
Today,
major
browsers
support
SameSite,
with
evolving
default
handling
for
cookies
that
do
not
specify
the
attribute
and
for
those
marked
None.
Proper
configuration
helps
balance
security
with
the
functional
needs
of
web
applications.