SameSite Cookies
SameSite is a cookie attribute that controls whether the browser sends the cookie with cross-site requests, providing built-in CSRF protection by restricting when cookies travel across site boundaries.
Understanding SameSite Cookies
The SameSite attribute has three values. Strict means the cookie is never sent on cross-site requests — not even when the user clicks a link from another site to yours. The user must navigate directly to your site for the cookie to be included. Lax is the browser default (since Chrome 80) and allows the cookie on top-level navigations (clicking a link) but blocks it on cross-site subresources (forms, iframes, AJAX). None means the cookie is sent on all cross-site requests, but the Secure flag is required.
SameSite=Lax provides strong CSRF protection because it blocks the most common CSRF vectors — cross-site form submissions and AJAX requests — while preserving usability. When a user clicks a link from an email or another site to your application, the cookie is sent so they arrive authenticated. But a malicious site cannot submit a form to your application with the user's cookies.
SameSite=Strict offers maximum protection but can impact user experience. If a user clicks a link to your site from a search engine or email, they arrive without their session cookie and appear logged out. This is confusing for users and inappropriate for most public-facing applications. Strict is suitable for internal applications or banking sites where the security tradeoff is acceptable.
SameSite=None is required for cookies that must be sent cross-site, such as embedded iframes, cross-site API calls with credentials, and third-party widgets. However, SameSite=None requires the Secure flag (HTTPS only) and effectively opts out of the built-in CSRF protection, requiring other CSRF defenses.
With the phasing out of third-party cookies by browsers, SameSite=None cookies face increasing restrictions and may be blocked entirely in future browser versions.
Why This Matters for Vibe-Coded Apps
Understanding SameSite is essential for vibe-coded apps that use cookie-based authentication, especially those with OAuth flows. SameSite=Strict breaks OAuth callbacks because the redirect from the OAuth provider is a cross-site navigation that will not carry cookies. SameSite=Lax is the correct choice for most authentication cookies — it allows OAuth redirects while blocking CSRF.
AI-generated authentication code may not set SameSite explicitly, relying on the browser default (Lax in modern Chrome/Edge, but potentially None in older browsers). Explicitly setting SameSite=Lax ensures consistent behavior across all browsers and is a simple addition to any cookie configuration.
Real-World Examples
Chrome SameSite-by-Default Rollout (2020)
Chrome 80 changed the default SameSite value from None to Lax, breaking thousands of websites that relied on cross-site cookie sending without explicitly setting SameSite=None. The change was temporarily rolled back during COVID due to the impact on healthcare and remote work sites, then gradually re-enabled.
OAuth Flow Breakage with SameSite=Strict
When developers set SameSite=Strict on authentication cookies, OAuth "Sign in with Google/GitHub" flows broke. The redirect from the OAuth provider to the callback URL is a cross-site navigation, and Strict blocks the session cookie, causing users to appear logged out after successful authentication. The fix was switching to SameSite=Lax.
Third-Party Cookie Deprecation
Google's Privacy Sandbox initiative aims to phase out third-party cookies (effectively SameSite=None cookies) entirely. This has massive implications for advertising, analytics, and embedded services. Websites that rely on cross-site cookies must transition to alternative mechanisms like the Storage Access API, Topics API, or first-party data strategies.
Frequently Asked Questions
Which SameSite value should I use for session cookies?
SameSite=Lax is the best choice for most web applications. It provides CSRF protection while allowing users to arrive authenticated when clicking links from emails, search engines, and other sites. Use Strict only for high-security internal applications where the "appear logged out from external links" behavior is acceptable. Use None only when your authentication requires cross-site cookie sending (embedded iframes, cross-site API widgets).
Does SameSite=Lax fully prevent CSRF?
Lax prevents the most common CSRF vectors (cross-site form POST, AJAX requests with cookies) but allows cookies on top-level GET navigations. If your application performs state changes on GET requests (which it should not), Lax does not protect those. For defense in depth, combine SameSite=Lax with CSRF tokens on state-changing operations. If all your state changes use POST/PUT/DELETE methods (as they should), Lax provides strong standalone CSRF protection.
Why does SameSite=None require the Secure flag?
Browsers require SameSite=None cookies to also have the Secure flag (HTTPS only). This is because SameSite=None explicitly allows cross-site cookie sending, which increases the exposure surface. Requiring HTTPS ensures the cookie is at least encrypted in transit, even though it is being sent cross-site. A cookie with SameSite=None but without the Secure flag is rejected by modern browsers.
How does SameSite interact with OAuth flows?
OAuth redirect flows are cross-site navigations — the user is redirected from the OAuth provider (e.g., accounts.google.com) to your callback URL. With SameSite=Strict, this redirect does not carry your session cookie, breaking the flow. With SameSite=Lax, the cookie is sent because it is a top-level navigation, allowing the flow to work. With SameSite=None, the cookie is always sent. Lax is the recommended value for authentication cookies in applications using OAuth.
Is Your App Protected?
VAS automatically scans for vulnerabilities related to samesite cookies and provides detailed remediation guidance. Our scanner targets issues common in AI-generated applications.
Scans from $5, results in minutes. Get actionable fixes tailored to your stack.
Get Starter Scan