保護DataHogo
Security Encyclopedia/Headers & Infrastructure
mediumCWE-352A01:2021

Cookies Without SameSite Attribute

Cookies missing the SameSite attribute (or set to None without Secure), enabling cross-site request forgery by allowing cookies to be sent with cross-origin requests.

How It Works

By default, cookies are sent with every request to your domain, including requests triggered from other sites. SameSite=Lax prevents cookies from being sent on cross-site POST requests (the common CSRF vector) while still allowing normal navigation. SameSite=Strict is even more restrictive. Without it, CSRF is trivially possible.

Vulnerable Code
// BAD: no SameSite — cookie sent on all cross-site requests
res.setHeader('Set-Cookie', `session=${token}; HttpOnly; Secure; Path=/`);
Secure Code
// GOOD: SameSite=Lax is a good default
res.setHeader(
  'Set-Cookie',
  `session=${token}; HttpOnly; Secure; Path=/; SameSite=Lax`
);

Real-World Example

Before browsers defaulted to SameSite=Lax in 2020, CSRF was trivially easy. Many older apps still explicitly set SameSite=None (for third-party contexts) without understanding the CSRF risk they're re-enabling.

How to Prevent It

  • Use SameSite=Lax as your default — it protects against CSRF while allowing normal navigation
  • Use SameSite=Strict for the most sensitive cookies (admin sessions)
  • Only use SameSite=None if you genuinely need the cookie in a cross-site iframe, and always pair it with Secure
  • Modern browsers default to Lax, but set it explicitly so older browsers are covered

Affected Technologies

nodejsNext.jsPythonPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Missing Content-Security-Policy Header

medium

The Content-Security-Policy (CSP) header is absent, leaving browsers without instructions on which sources of scripts, styles, and resources to trust.

CWE-358A05:2021

Missing X-Frame-Options Header

medium

The X-Frame-Options header is absent, allowing attackers to embed your app in an invisible iframe and trick users into clicking your UI elements (clickjacking).

CWE-1021A05:2021

Missing X-Content-Type-Options Header

low

The X-Content-Type-Options: nosniff header is absent, allowing browsers to guess (sniff) the content type of a response and potentially execute content as script.

CWE-430A05:2021

Missing HTTP Strict Transport Security (HSTS)

medium

The Strict-Transport-Security header is absent, allowing browsers to connect over plain HTTP and enabling downgrade attacks where an attacker intercepts unencrypted traffic.

CWE-319A02:2021