Cookie without SameSite Flag

Impact: Low


The absence of the SameSite flag in cookies leaves them vulnerable to cross-site request forgery (CSRF) attacks, where unauthorized actions are performed on behalf of a user. Setting the SameSite flag with an appropriate value prevents browsers from sending cookies in cross-origin requests, thereby mitigating the risk of CSRF attacks.


To enhance security, always set the SameSite flag for cookies, specifying the appropriate value based on the application’s requirements. This helps prevent unauthorized access to cookies and protects against CSRF attacks.


Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue