SameSite

The SameSite cookie attribute controls when cookies are sent with cross-site requests, providing protection against CSRF attacks. SameSite=Strict prevents cookies from being sent in any cross-site context. SameSite=Lax (the browser default since Chrome 80) allows cookies for top-level navigations but blocks them in sub-resource requests from third-party sites. SameSite=None requires the Secure attribute and allows cookies in all cross-site contexts.

Why it matters for your website

• 1Directly impacts resistance to account takeover and credential theft
• 2Required for SOC 2, HIPAA, and PCI-DSS compliance
• 3Misconfiguration can expose all user accounts to attack