SameSite Cookie Attribute Enforcement
Description
Configure the web server or reverse proxy to enforce the SameSite attribute (Lax or Strict) on all Set-Cookie response headers. When SameSite=Lax is set, browsers do not include the cookie in cross-site POST, PUT, DELETE, or other state-changing requests initiated from a different origin. When SameSite=Strict is set, cookies are not included in any cross-site navigation. This prevents CSRF attacks because the attacker cross-origin request arrives without the victim session cookie, making it unauthenticated. Modern browsers default to SameSite=Lax for cookies that omit SameSite, but applications that explicitly set SameSite=None (for cross-origin API use) or legacy applications that predate the default bypass this protection. Admin enforcement at the proxy layer overrides the application cookie attributes.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Attack Complexity (AC) | L → H | The attacker must find a way to bypass the SameSite restriction (e.g., exploit a subdomain XSS vulnerability to achieve same-site context, or target a browser that does not enforce SameSite) to include the victim session cookie in a cross-site request. Without this bypass, cross-site state-changing requests arrive unauthenticated and are rejected by the application. |
CWE Relationships
Verification
Verify that all Set-Cookie response headers include SameSite=Lax or SameSite=Strict. Check web server or reverse proxy configuration for cookie attribute enforcement directives.
# Expected: SameSite enforcement directive present
# Expected: SameSite cookie flag directives present
# Expected: SameSite=Lax or SameSite=Strict on all Set-Cookie headers