Why was my cookie working last week and now it’s blocked?

Browsers gradually tightened the default. As of Chrome 89+ / Firefox 96+, SameSite=None without Secure is hard-rejected. If you upgraded the browser or the policy changed in your code, you’re seeing it for the first time.

HttpOnly is independent — it prevents JavaScript access to the cookie (XSS protection). Always set it on session cookies.

cookies error

Cookie rejected: SameSite=None requires Secure flag

The error

This Set-Cookie was blocked because it had the 'SameSite=None' attribute but did not have the 'Secure' attribute, which is required when 'SameSite=None' is used.

What it means

A cookie that wants to be sent in cross-site contexts (SameSite=None) must be served only over HTTPS (Secure). The browser dropped your cookie because Secure was missing.

Browsers tightened cookie defaults to prevent CSRF. SameSite=None means "send in third-party contexts" — but this is allowed only on HTTPS. Without Secure, the policy is incoherent and the cookie is rejected.

The fix

Set both SameSite=None and Secure

// Express / Next.js Response
res.cookies.set({
  name: 'session',
  value: token,
  httpOnly: true,
  secure: true,             // required for SameSite=None
  sameSite: 'none',         // for cross-site (e.g., embedded iframe)
  path: '/',
  maxAge: 60 * 60 * 24 * 7,
});

// If you do NOT need cross-site, drop to SameSite=Lax (default-safe):
res.cookies.set({
  name: 'session',
  value: token,
  httpOnly: true,
  secure: true,
  sameSite: 'lax',
  path: '/',
});

Also check

Common adjacent root causes when the obvious fix doesn’t work.

01Are you actually doing cross-site cookies? Most apps do not need SameSite=None — Lax is fine.
02Is your dev environment HTTP? Browsers reject Secure cookies on HTTP. Use https://localhost in dev with mkcert.
03Is a reverse proxy stripping the Secure flag? Check the cookie as it leaves the upstream server vs as it arrives at the browser.

Scan for related issues

This error is in our cookies scanner. Run a free scan to find what else is misconfigured in the same area.

FAQ

Frequently asked questions

Why was my cookie working last week and now it’s blocked?: Browsers gradually tightened the default. As of Chrome 89+ / Firefox 96+, SameSite=None without Secure is hard-rejected. If you upgraded the browser or the policy changed in your code, you’re seeing it for the first time.
What about HttpOnly?: HttpOnly is independent — it prevents JavaScript access to the cookie (XSS protection). Always set it on session cookies.

Related fixes

Tighten this area further

Cookie missing Secure flag

Cookies without the Secure flag can be sent over HTTP, leaking session tokens to anyone on the same network. Here is how to set it.

Cookie missing SameSite

SameSite controls whether cookies are sent on cross-site requests — the main defense against CSRF. Here is how to set it.

Background

Concepts

SameSite Cookie Attribute

SameSite controls whether the browser sends your cookie on cross-site requests. The main defense against CSRF.