Many developers have never heard of SameSite cookies before, or how they can protect their apps from CSRF attacks. In this session we will learn about the three diﬀerent options: “None”, “Lax”, and “Strict” and discuss the beneﬁts of each value.
“CSRF is dead (or is it?)” looks at SameSite cookies and whether they mean the end of CSRF (Cross Site Request Forgery) attacks or not. We discuss the different options and when you should use them, plus why Lax is the sane default.
The browser tests discussed in the talk can be found at https://samesitetest.com/.
Manual SameSite Cookie Test
Manually test the behaviour of SameSite cookies in your browser across the different cross-site request types:
POST, and embedded content.
Automatic SameSite Browser Test
Automated test suite that audits the behaviour of your browser with the different SameSite options, across https and http, same-site and cross-site requests. Note, it will take a while as there is a delay of 2 minutes to properly account for
SameSite=Lax+POST in Chrome.
The source code for the browser tests is on GitHub at
valorin/samesite. If you have any ideas or suggestions, please feel free to submit an issue or PR.
About Cross Site Request Forgery (CSRF)
- OWASP Community CSRF Overview – Summary of CSRF from OWASP (Open Web Application Security Project), explaining attacks and protections.
- PortSwigger CSRF Overview – Summary of CSRF, focusing on different types of attacks and how to bypass commonly flawed defenses.
About SameSite Cookies
- SameSite Cookies Explained – Comprehensive article outlining how SameSite cookies work and why they are important.
- SameSite Cookie Recipes – Implementation advice for
SameSite=None, for when you need to work with cross-site requests.
- Can I Use “SameSite cookie Attribute”? – Browser support table for SameSite cookies.
- Chromium Project SameSite=Lax by Default Updates – Chromium update page outlining the current state of the SameSite=Lax by default rollout.
- Google Chrome SameSite=Lax by Default blog posts.
- Building a more private web: A path towards making third party cookies obsolete (Tuesday, January 14, 2020)
- Developers: Get Ready for New SameSite=None; Secure Cookie Settings (Wednesday, October 23, 2019)
- SameSite Cookie Changes in February 2020: What You Need to Know (Monday, February 3, 2020)
- Temporarily rolling back SameSite Cookie Changes (Friday, April 3, 2020)