Vulnerabilities / Cookie with SameSite attribute set to None
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
↓
Severity
Low
CWE Name
Cookie with SameSite attribute set to None
CWE ID
CWE-1275
CVSS Score
3.1
Compliance
OWASP TOP10 -> A2, A7
PCI-DSS -> 4.1, 6.5.4, 6.5.10
ISO27001 -> A.5.14, A.8.9, A.8.24, A.8.26
PCI-DSS -> 4.1, 6.5.4, 6.5.10
ISO27001 -> A.5.14, A.8.9, A.8.24, A.8.26
We found a Set-Cookie header with the SameSite cookie attribute set to None. Although this is not a vulnerability by itself, the SameSite cookie attribute defines whether cookies are sent in cross-site requests. If properly configured, SameSite makes Cross-Site Request Forgery (CSRF) attacks impossible or very hard to perpetrate. If set to None, this protection is not enabled.
How to fix
-
Set the SameSite cookie attribute to
strictto mitigate CSRF attacks. Ifstrictbreaks any functionality, uselaxinstead, which gives you protection against POST-based CSRF, but not GET ones.
