Improper Cookie SameSite Attribute

Cookie `SameSite` attribute restricts how cookies are sent to cross-domain requests. This is an effective measure against Cross Site Request Forgery (CSRF) attacks.

Remediation

Set `SameSite=Strict` for session cookies.

Metadata

Severity: informational
Slug: improper-cookie-samesite-attribute

CWEs

1275: Sensitive Cookie with Improper SameSite Attribute
352: Cross-Site Request Forgery (CSRF)

OWASP

A01:2021: Broken Access Control

Available Labs

Open Javascript labs in SecDim Play for this vulnerability.

easy

Cookie.js

JavaScript Easy Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.