Description
The absence of the SameSite flag in cookies leaves them vulnerable to cross-site request forgery (CSRF) attacks, where unauthorized actions are performed on behalf of a user. Setting the SameSite flag with an appropriate value prevents browsers from sending cookies in cross-origin requests, thereby mitigating the risk of CSRF attacks.
Recommendation
To enhance security, always set the SameSite flag for cookies, specifying the appropriate value based on the application’s requirements. This helps prevent unauthorized access to cookies and protects against CSRF attacks.
References
- OWASP: SameSite
- OWASP: Session Management Cheat Sheet
- MDN Web Docs: SameSite cookie
- CWE-1275
- CWE-16
- OWASP 2021-A1
- OWASP 2021-A5
Related Issues
- Cookie without HttpOnly Flag - Vulnerability
- Session Cookie without SameSite Flag - Vulnerability
- Session Cookie without Secure Flag - Vulnerability
- Cookie Accessible for Subdomains - Vulnerability
- Tags:
- HTTP Headers
- Cookie
- Cross-Site Request Forgery
- Application Misconfiguration
Anything's wrong? Let us know Last updated on May 13, 2024