We found a Set-Cookie header with the SameSite cookie attribute set to None. Although this is not a vulnerability by itself, the SameSite cookie attribute defines whether cookies are sent in cross-site requests. If properly configured, SameSite makes Cross-Site Request Forgery (CSRF) attacks impossible or very hard to perpetrate. If set to None, this protection is not enabled.
Set the SameSite cookie attribute to
strict to mitigate CSRF attacks. If
strict breaks any functionality, use
lax instead, which gives you protection against POST-based CSRF, but not GET ones.