-
Notifications
You must be signed in to change notification settings - Fork 53
TWA 0804
cookie '${cookie_name}' has SameSite set to 'none' or is not set properly
In the message output the variable ${cookie_name} is replaced by the name of the cookie.
A cookie was found in the HTTP response that has SameSite attribute with value none or a not defined value (means not strict, not lax and not none).
The SameSite attribute defines in which HTTP requests the cookie should be sent from the web browser to the server.
A restriction to a first-party context (value strict) reduces the receiver of the cookie.
A cookie with none setting will be sent in a all contexts.
Set the value of the SameSite attribute to strict in your web application, if the web application can work with this setting.
Use the lax setting only if your web application needs the cookie in a third-party context.
Try never to use none setting because the cookies will be sent in all contexts.