What is SameSite Cookie Attribute?

SameSite is an attribute on the `Set-Cookie` header that tells the browser whether to send the cookie on cross-site requests. Values are `Strict` (never send), `Lax` (send on top-level GETs), and `None` (always send, requires Secure). Modern browsers default to `Lax` when the attribute is missing.

In more detail

`Lax` is the right default for most session cookies — it protects against CSRF while still letting users follow links into your site. `Strict` is safer but breaks navigation from external sites (users click a link from Twitter and arrive logged out). `None` is for embedded iframes and cross-site widgets; it requires `Secure` as well.

Session cookie with modern flags
Set-Cookie: session=abc; Secure; HttpOnly; SameSite=Lax; Path=/

Why this matters

Why builders care

Explicitly setting SameSite on every cookie is better than relying on the browser default — some older browsers do not default to Lax. Pair it with Secure and HttpOnly for full protection.

Fix guides

Fix SameSite Cookie Attribute issues

Cookie missing SameSite

SameSite controls whether cookies are sent on cross-site requests — the main defense against CSRF. Here is how to set it.

Read more

Cookie missing Secure flag

Cookies without the Secure flag can be sent over HTTP, leaking session tokens to anyone on the same network. Here is how to set it.

Read more

Cookie missing HttpOnly

HttpOnly stops JavaScript from reading a cookie, which is critical for session tokens. Here is when and how to set it.

Read more

Free tools

Check it yourself

Cookie audit

Check Secure, HttpOnly, and SameSite flags on every cookie.

Read more

Related terms

Keep learning

Cross-Site Request Forgery

CSRF tricks a logged-in user into performing actions on your site without realizing. SameSite cookies are the modern defense.

Read more

See where your site stands

Paste a URL, get a score in 60 seconds. Free, no signup.