Fix: SameSite=None Requires the Secure Attribute
Updated April 2026
Audit your cookies automatically.
Cookie Partitioning Auditor →
Since Chrome 80 (February 2020), browsers reject SameSite=None cookies that don't also have the Secure attribute. The cookie is silently ignored.
The rule
# Rejected — SameSite=None without Secure Set-Cookie: session=abc; SameSite=None; Path=/ # Accepted — SameSite=None with Secure (HTTPS only) Set-Cookie: session=abc; SameSite=None; Secure; Path=/ # Also add Partitioned for Chrome 118+ third-party context: Set-Cookie: session=abc; SameSite=None; Secure; Partitioned; Path=/
Fix by framework
Express / Node.js
res.cookie('session', value, {
sameSite: 'none',
secure: true, // required with SameSite=None
partitioned: true, // required for Chrome 118+ third-party
httpOnly: true,
path: '/',
});
Next.js
response.headers.append( 'Set-Cookie', 'session=abc; SameSite=None; Secure; Partitioned; HttpOnly; Path=/' );
Django
response.set_cookie(
'session',
value,
samesite='None',
secure=True, # required
httponly=True,
path='/',
)
FastAPI
response.set_cookie(
key="session",
value=value,
samesite="none",
secure=True, # required
httponly=True,
path="/",
)
Why Secure is required with SameSite=None
Without HTTPS, the cookie travels in plaintext. Allowing cross-site cookies over HTTP would expose them to network-level interception on every cross-site request. Browsers enforce Secure as a prerequisite to prevent this.
Local development:
Audit your cookies → Cookie Partitioning Auditor
localhost is treated as secure by browsers. SameSite=None; Secure works on localhost without HTTPS. It will fail on HTTP non-localhost domains.