---
title: Use SameSite Cookie Attribute
impact: MEDIUM
impactDescription: prevents Cross-Site Request Forgery (CSRF) by restricting cookie transmission
tags: security, cookies, csrf, samesite
---

## Use SameSite Cookie Attribute

Set the `SameSite` attribute to `Lax` or `Strict` for all cookies to control when they are sent in cross-site requests.

**Incorrect (missing SameSite):**

```ruby
# Vulnerable to CSRF if CSRF token is not used correctly
cookies[:user_pref] = { value: "val" }
```

**Correct (SameSite set):**

```ruby
# Rails 6+ defaults to Lax for session cookies
# For manual cookies:
cookies[:user_pref] = { value: "val", same_site: :lax }
cookies[:session] = { value: "val", same_site: :strict, secure: true }
```

**Tools:** Brakeman, Rails default
---