Recipe

SameSite Cookies

Lock down cross-site request forgery by controlling when cookies are attached to cross-origin requests.

The Problem

Without SameSite, browsers attach cookies to every request to your origin — even those initiated by a third-party site via form submissions, embedded images, or script tags. This is the foundation of CSRF.

The Attribute

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax

Strict

Cookie never sent on cross-site requests. Safest, but breaks inbound links from email or chat.

Lax

Sent on top-level navigations (GET). Blocked on subresource loads and iframes. The pragmatic default.

None

Sent on all cross-site requests. Requires Secure. Use only when you control both origins.

Framework Snippets

Express

res.cookie('session', token, { sameSite: 'lax', httpOnly: true, secure: true })

Next.js Middleware

response.cookies.set('session', token, { sameSite: 'lax', httpOnly: true, secure: true })

Verification

Open DevTools → Application → Cookies. The SameSite column shows the effective policy. Requests missing the cookie when expected will appear in the Network tab with a warning icon.

← Return to documentation