Web Application Security
Never use the GET method for Sensitive Actions in Web App: Ft. CSRF
The Limitation of Cookie’s “SameSite: Lax” Security
Introduction
With the introduction of the default “Samesite: Lax” feature, developers can now enhance the security of their web applications significantly. The feature offers a robust defence mechanism against CSRF weaknesses, previously a major concern for developers. As a result, developers can now breathe a sigh of relief and focus on building web applications that are more secure and not vulnerable to CSRF attacks.
The SameSite attribute is a valuable feature in the web developer’s arsenal to mitigate these risks, but it’s essential to understand its limitations. This blog will focus on an important note about SameSite: Lax, explaining why it may not prevent CSRF attacks in certain situations.
SameSite: Lax — A Quick Overview
SameSite is an attribute used in HTTP cookies to control how they are sent in cross-origin requests. The SameSite attribute can have one of three values: “Strict,” “Lax,” or “None.” SameSite: Lax is the default value for cookies that don’t specify SameSite explicitly(see the table below for browser compatibility), and it provides a reasonable level of security for many web applications.