-
Notifications
You must be signed in to change notification settings - Fork 53
TWA 0805
cookie '${cookie_name}' has missing or empty 'SameSite' flag
In the message output the variable ${cookie_name} is replaced by the name of the cookie.
A cookie was found in the HTTP response that has no SameSite attribute or the value of the SameSite attribute is empty.
The SameSite attribute defines in which HTTP requests the cookie should be sent from the web browser to the server.
A restriction to a first-party context (value Strict) reduces the receiver of the cookie.
The web browser will handle a cookie without a SameSite attribute like a cookie with SameSite=Lax setting.
A cookie with Lax setting will be sent in a third-party context also.
Set the SameSite attribute on the cookie in your web application.
Set the value of the SameSite attribute to Strict in your web application, if the web application can work with this setting.
Use the lax setting only if your web application needs the cookie in a third-party context.