Cookies / sessions · Check
Session cookie missing SameSite — defaulting to Lax explicitly
Modern browsers default unset SameSite cookies to `Lax`, but explicitly setting `SameSite=Lax` makes the contract clear and prevents older clients from defaulting to the looser legacy behavior. For most session cookies, `Lax` is the correct value.
Real-world risk
Cross-site requests may include the session cookie on more flows than intended (CSRF-friendly).
Fix steps (in order)
- Set SameSite=Lax (default for many frameworks) or Strict for high-assurance sessions.
- Example: Set-Cookie: sid=…; Path=/; HttpOnly; Secure; SameSite=Lax
Topic explainer
CORS explained: how cross-origin requests actually work →
A practical explainer of CORS — same-origin policy, preflight requests, the headers that matter, and the configurations that quietly break security.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (session_cookie_samesite_missing) clears once the externally-observable signal is in place.