What it is
The SameSite cookie attribute tells the browser whether to attach a cookie when a request originates from a different site. It is a key defense against CSRF.
The three values
- Strict: the cookie is never sent on any cross site request, even a top level link click.
- Lax: the cookie rides along on top level navigations like clicking a link, but not on cross site subrequests like images or forms posting in the background.
- None: the cookie is always sent, but the cookie must also be marked Secure.
Why it helps
A CSRF attack relies on the browser sending your session cookie on a cross site request. With Lax or Strict, that automatic attachment is restricted, so many forged requests arrive without the cookie.
Practical defaults
- Use Lax for session cookies as a sensible baseline.
- Reserve None Secure for cookies that genuinely need cross site use.
Key idea
SameSite controls cross site cookie sending; Lax or Strict blocks the automatic attachment that CSRF depends on.