Learn

SameSite cookies: Lax, Strict, None explained

Lax is the new default, Strict breaks SSO, and None without Secure is just dropped on the floor. Here is how to pick the right SameSite value for each cookie.

What it is

SameSite is a cookie attribute that controls when the browser attaches a cookie to cross-site requests. Lax (the modern default) sends it on top-level GET navigations only. Strict never sends it cross-site. None sends it on every cross-site request and requires Secure.

Why it matters

SameSite is the cheapest CSRF defense and the trickiest one to break: SSO redirects and embedded payment widgets stop working if you pick the wrong value. Chrome changed the default to Lax in 2020, breaking many sites that assumed None.

How Barrion checks it

Barrion inspects every Set-Cookie response header on your scanned pages and reports cookies missing SameSite, using SameSite=None without Secure, or using Strict on session cookies that need cross-site SSO.

Run this check →Fix guide

Related

FAQ

Common questions.

When is SameSite=None acceptable?
When the cookie has a legitimate cross-site job: third-party SSO, embedded widgets, federated analytics, or any iframe that needs the parent session. Always pair it with Secure, and prefer __Host- or __Secure- prefixes so the cookie cannot be downgraded.
Does SameSite=Lax break OAuth?
Most OAuth flows survive Lax because the callback is a top-level GET, which is the one case Lax still attaches the cookie. It breaks when the callback uses form_post (POST) or runs inside an iframe, at which point you need SameSite=None plus Secure for the cookies involved in the redirect.
What does the browser do without SameSite at all?
Chromium, Edge, and Firefox now treat an omitted attribute as Lax, while Safari is even stricter on cross-site contexts. Older browsers still default to None, so explicitly setting the attribute is the only way to get consistent behavior across the install base.
Why is my SameSite=None cookie being dropped silently?
Browsers reject SameSite=None when Secure is missing, when the request is plain HTTP, or when the cookie also uses __Host- with a Domain attribute. Check the response in DevTools Network panel, the cookie row shows the rejection reason.