SameSite
CookiesThe SameSite
attribute of the
Set-Cookie
HTTP response header allows you to declare if your
cookie should be restricted to a first-party or same-site context.
The SameSite
attribute can contain three different values
indicating restrications on the cookies.
Lax
Cookies are allowed to be sent with top-level navigations and will be sent along with GET request initiated by third party website. This is the default value in modern browsers.
Strict
Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.
None
Cookies will be sent in all contexts, i.e sending cross-origin is
allowed.
None
used to be the default value, but recent browser
versions made Lax
the default value to have reasonably robust
defense against some classes of cross-site request forgery (CSRF) attacks.
None
requires the Secure
attribute in latest
browser versions.
SameSite
(source):