Search⌘ K
Home
Courses
Practical Security: Simple Practices for Defending Your Systems

XSRF Prevention with SameSite

Explore how the SameSite cookie attribute helps prevent Cross-Site Request Forgery (XSRF) by instructing browsers to send cookies only for requests originating from the same site. Understand its benefits, proper use cases like SameSite=Strict and SameSite=Lax, and limitations such as dependency on browser support and protection gaps in cases of cross-site scripting (XSS). This lesson helps you implement layered defenses for secure web applications.

We'll cover the following...

Introduction to SameSite #

We now have a very strong defense against XSRF—using an anti-XSRF hidden form input on all state-modifying requests. But that defense requires ongoing diligence. We’re never done applying it. We need to reapply this defense every time we add a new state-modifying request to our web application (which will happen pretty often during active development of a web application).

It would be nice if we could layer on a one-time effort to help lessen the impact if we ever forget to be diligent in the future. That is the idea behind SameSite cookies. Let’s take a look at this defense, how it helps, and what its limitations are.

Suppose we are building a web application that uses a cookie called SessionId to authenticate logged-in users. Normally, this cookie would be created by an HTTP response that includes a ...