# CSRF Best Practices

* **Strict**:
  * Use `SameSite=Strict` for cookies containing sensitive information or those used in critical operations (e.g., authentication cookies).
  * Example:

    ```http
    httpCopy codeSet-Cookie: authToken=xyz789; Secure; HttpOnly; SameSite=Strict
    ```
* **Lax**:
  * Use `SameSite=Lax` for cookies that should generally be sent in same-site contexts but still allow some cross-site requests (e.g., navigations from external links).
  * Example:

    ```http
    httpCopy codeSet-Cookie: trackingId=def456; Secure; HttpOnly; SameSite=Lax
    ```
* **None**:
  * Use `SameSite=None` only when cross-site requests are necessary and ensure the `Secure` attribute is present to enforce HTTPS.
  * Example:

    ```http
    httpCopy codeSet-Cookie: thirdParty=ghi123; Secure; HttpOnly; SameSite=None
    ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.hackerspot.net/web-security/web-vulnerabilities/cross-site-request-forgery/csrf-best-practices.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.