Use SameSite attribute to enhance cookie security

For more tips like this, sign up to the weekly newsletter!

Use SameSite attribute to enhance cookie security

Cookies by default are sent along with all requests that are sent to your domain. Since they are used primarily to hold login information, this mechanism is what makes attacks like CSRF (Cross-Site Request Forgery) possible.

When a malicious site makes your browser to send a request (be it GET or POST) to your site, it is handled with you logged in.

When you are at evilsite.com and it loads an image from bank.com/transfer?from=...&to=...&amount=..., it can be a problem.

Set the SameSite attribute for the cookies

Setting SameSite for a cookie turns on CORS, so that when you make a request from a 3rd-party site the cookies are not sent. This prevents attacks that rely on you logged in on another site.

Strict vs Lax

There are two possible values for SameSite: Strict and Lax.

The difference is how they handle redirects.

With Lax, when a 3rd-party site redirects to your site, the cookies are sent. But with the Strict setting, event though the URL has nothing to do with the 3rd-party site, the cookies will be missing.

Which one to use?

Using Lax is usually the safer solution. It brings most of the benefits of CORS, but won't break features like OAuth that rely on redirecting to your site. Using Strict is still possible in that case, but that would complicate the flow.

Try it

https://github.com/sashee/samesite_cookie_sample

Learn more:

Promises and Async/Await in JavaScript book