Does SameSite replace CSRF tokens?

It replaces most of the need. For extra-sensitive operations (money transfers, privilege changes), keep CSRF tokens as defense in depth.

I'm embedding my app in an iframe — what do I do?

Use `SameSite=None; Secure`. Without Secure, None is rejected by browsers.

Medium severity · Next.js

Cookie missing SameSite on Next.js

Your cookie is missing the `SameSite` attribute. SameSite determines whether the browser sends the cookie on cross-site requests. Without it, the cookie is sent on every request — which opens CSRF attacks on older browsers. Modern browsers default to `Lax`, but you should not rely on that. Set `SameSite=Lax` for most cookies, `SameSite=Strict` for sensitive operations (banking, admin), `SameSite=None; Secure` only when you truly need cross-site access.

The fix for Next.js

Next.js

Set sameSite on every cookie. Lax is the default for most cases.

cookies().set({
  name: 'session',
  value: token,
  secure: true,
  httpOnly: true,
  sameSite: 'lax',  // or 'strict' for admin/finance
});

Why it matters

SameSite is the simplest CSRF defense. Lax is good for most apps. Strict is safest but breaks external links. None is only for explicit cross-site auth (embedded widgets) and requires Secure.

Confirm the fix worked

Scan your Next.js site to confirm this finding is gone.

AI prompt

Apply across your codebase

Paste this into Cursor, Lovable, Bolt, v0, or Claude Code.

Audit every cookie my app sets. Add SameSite=Lax as the default. For cookies on admin or billing routes, use SameSite=Strict. If I have any cookies that need to work in embedded iframes or cross-site contexts, use SameSite=None; Secure and tell me exactly why that cookie needs cross-site access.

FAQ

Frequently asked questions

Does SameSite replace CSRF tokens?: It replaces most of the need. For extra-sensitive operations (money transfers, privilege changes), keep CSRF tokens as defense in depth.
I'm embedding my app in an iframe — what do I do?: Use `SameSite=None; Secure`. Without Secure, None is rejected by browsers.

Related fix guides

Fix these too

Cookie missing Secure flag

Cookies without the Secure flag can be sent over HTTP, leaking session tokens to anyone on the same network. Here is how to set it.

Cookie missing HttpOnly

HttpOnly stops JavaScript from reading a cookie, which is critical for session tokens. Here is when and how to set it.

CORS credentials misconfiguration

Setting both Allow-Origin: * and Allow-Credentials: true is a dangerous misconfiguration. Here is why browsers block it and how to fix it correctly.

Concepts

Glossary

SameSite Cookie Attribute

SameSite controls whether the browser sends your cookie on cross-site requests. The main defense against CSRF.

Cross-Site Request Forgery

CSRF tricks a logged-in user into performing actions on your site without realizing. SameSite cookies are the modern defense.

Free tools

Spot-check this

Cookie audit

Check Secure, HttpOnly, and SameSite flags on every cookie.