Cookie with Invalid SameSite Attribute

Risk:
Low

Type:
Passive

CWE:
CWE-1275

Summary: A cookie has been set with an invalid SameSite attribute value, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

Solution: Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.

References: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site

Free security scan for your website

Don't show website scan report rating on the leaderboard