CSRF Best Practices

Strict:
- Use SameSite=Strict for cookies containing sensitive information or those used in critical operations (e.g., authentication cookies).
- Example:
  httpCopy codeSet-Cookie: authToken=xyz789; Secure; HttpOnly; SameSite=Strict
Lax:
- Use SameSite=Lax for cookies that should generally be sent in same-site contexts but still allow some cross-site requests (e.g., navigations from external links).
- Example:
  httpCopy codeSet-Cookie: trackingId=def456; Secure; HttpOnly; SameSite=Lax
None:
- Use SameSite=None only when cross-site requests are necessary and ensure the Secure attribute is present to enforce HTTPS.
- Example:
  httpCopy codeSet-Cookie: thirdParty=ghi123; Secure; HttpOnly; SameSite=None

Last updated 1 year ago