---
title: Set SameSite On Session Cookies
impact: MEDIUM
impactDescription: provides CSRF protection
tags: cookies, samesite, csrf, session, security
---

## Set SameSite On Session Cookies

SameSite attribute prevents cookies from being sent in cross-site requests, providing CSRF protection.

**Incorrect (no SameSite):**

```go
cookie := &http.Cookie{
    Name:  "session",
    Value: token,
}
// Default SameSite might be 0 (none/browser default)
```

**Correct (SameSite set):**

```go
// Strict - most secure
cookie := &http.Cookie{
    Name:     "session",
    Value:    token,
    SameSite: http.SameSiteStrictMode,
    HttpOnly: true,
    Secure:   true,
}

// Lax - allows top-level navigation (clicking links)
cookie := &http.Cookie{
    Name:     "session",
    Value:    token,
    SameSite: http.SameSiteLaxMode,
}
```

**SameSite options in Go:**
- `http.SameSiteStrictMode`
- `http.SameSiteLaxMode`
- `http.SameSiteNoneMode` (requires `Secure: true`)

**Recommended:** `http.SameSiteStrictMode` for session cookies.

**Tools:** Browser DevTools, Security Scan
