Vulnerabilities / Cookie with SameSite attribute set to None
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
↓
Severity
Low
CWE Name
Cookie with SameSite attribute set to None
CWE ID
CWE-1275
CVSS Score
3.1
Compliance
OWASP TOP10 -> A2, A7
PCI-DSS -> 4.1, 6.5.4, 6.5.10
ISO27001 -> A.5.14, A.8.9, A.8.24, A.8.26
PCI-DSS -> 4.1, 6.5.4, 6.5.10
ISO27001 -> A.5.14, A.8.9, A.8.24, A.8.26
We found a Set-Cookie header with the SameSite cookie attribute set to None. Although this is not a vulnerability by itself, the SameSite cookie attribute defines whether cookies are sent in cross-site requests. If properly configured, SameSite makes Cross-Site Request Forgery (CSRF) attacks impossible or very hard to perpetrate. If set to None, this protection is not enabled.
How to fix
Set the SameSite cookie attribute to
strictto mitigate CSRF attacks. Ifstrictbreaks any functionality, uselaxinstead, which gives you protection against POST-based CSRF, but not GET ones.
