CSRF Best Practices

  • Strict:

    • Use SameSite=Strict for cookies containing sensitive information or those used in critical operations (e.g., authentication cookies).

    • Example:

      httpCopy codeSet-Cookie: authToken=xyz789; Secure; HttpOnly; SameSite=Strict

  • Lax:

    • Use SameSite=Lax for cookies that should generally be sent in same-site contexts but still allow some cross-site requests (e.g., navigations from external links).

    • Example:

      httpCopy codeSet-Cookie: trackingId=def456; Secure; HttpOnly; SameSite=Lax

  • None:

    • Use SameSite=None only when cross-site requests are necessary and ensure the Secure attribute is present to enforce HTTPS.

    • Example:

      httpCopy codeSet-Cookie: thirdParty=ghi123; Secure; HttpOnly; SameSite=None
PreviousCross Site Request ForgeryNextCSRF Example Usages

Last updated

Was this helpful?