We found a Set-Cookie header with the SameSite cookie attribute set to None. Although this is not a vulnerability by itself, the SameSite cookie attribute defines whether cookies are sent in cross-site requests. If properly configured, SameSite makes Cross-Site Request Forgery (CSRF) attacks impossible or very hard to perpetrate. If set to None, this protection is not enabled.

How to fix

• generic

• Set the SameSite cookie attribute to strict to mitigate CSRF attacks. If strict breaks any functionality, use lax instead, which gives you protection against POST-based CSRF, but not GET ones.