Updated April 2026
SameSite Cookie Attribute
SameSite is a cookie attribute that controls whether the browser sends the cookie with cross-site requests. It is the primary defense against CSRF attacks. SameSite=Strict blocks all cross-site sending. SameSite=Lax blocks POST cross-site but allows GET. SameSite=None (with Secure) allows all cross-site requests.
The three values
| Value | Sent with cross-site GET | Sent with cross-site POST | Use for |
|---|---|---|---|
Strict | No | No | Highly sensitive cookies (admin sessions) |
Lax | Yes (top-level nav) | No | Most session cookies — browser default since 2020 |
None; Secure | Yes | Yes | Cross-site embeds, OAuth, third-party integrations |
Setting SameSite in server config
# Express
res.cookie('session', value, { sameSite: 'lax', // or 'strict' or 'none' secure: true, // Required when sameSite='none' httpOnly: true // Always set — prevents XSS access
});
# Nginx (via proxy_cookie_flags or headers module) proxy_cookie_flags session samesite=lax secure httponly;
Browser defaults (2024)
Chrome and Firefox default to SameSite=Lax when no SameSite attribute is specified. Cookies without SameSite are no longer sent cross-site on POST by default — this broke many legacy third-party integrations that relied on cross-site cookie sending.
SameSite=None gotcha
SameSite=None requires Secure — the cookie must be set on HTTPS. Without Secure, browsers reject the SameSite=None cookie entirely.