Severity: Best Practice
Cookies are typically sent to third parties in cross origin requests. This can be abused to do CSRF attacks. Recently a new cookie attribute named SameSite was proposed to disable third-party usage for some cookies, to prevent CSRF attacks.
Same-site cookies allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.
The server can set a same-site cookie by adding the
SameSite=... attribute to the
Set-Cookie header. There are three possible values for the
Set-Cookie: key=value; SameSite=Lax
Set-Cookie: key=value; SameSite=Strict
SameSite=Nonemust also specify the
Secureattribute to transfer them via a secure context. Setting a
SameSite=Nonecookie without the
Secureattribute will be rejected by the browsers.
Set-Cookie: key=value; SameSite=None; Secure