The SameSite attribute on a Set-Cookie header tells the browser when to attach the cookie to outgoing requests. It's the primary defense against CSRF (Cross-Site Request Forgery) and a key control for cross-site tracking.
Three values:
Strict-- the cookie is sent ONLY on same-site requests. Even a top-level navigation from another origin (clicking a link to your site from someone else's page) won't include the cookie. Strongest CSRF defense; can break "deep link to logged-in page" UX.Lax-- the cookie is sent on same-site requests AND on top-level cross-site GET navigations. The current browser default (Chrome shifted from "no SameSite" to Lax in 2020). Sensible default for session cookies on most apps.None-- the cookie is sent on ALL requests, including third-party iframes and cross-site fetches. Required for cross-site embedding and tracking; browsers REJECTSameSite=Nonewithout theSecureflag.
Common bugs:
- Setting
SameSite=NonewithoutSecure-- the browser rejects the cookie silently. - No
SameSiteattribute at all -- modern browsers default toLax, but older browsers (or middleboxes) may default to None, leaving you with inconsistent behavior. Always set the attribute explicitly. - Setting
SameSite=Stricton a session cookie expecting cross-site embedding (e.g., OAuth callbacks) -- breaks the flow.
For the strongest CSRF defense, combine SameSite=Lax (or Strict where the UX permits) with the __Host- prefix and Secure flag.