Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.
SameSite attribute of the
Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context.
Note: Standards related to the Cookie
SameSite attribute recently changed such that:
- The cookie-sending behavior if
SameSiteis not specified is
SameSite=Lax. Previously the default was that cookies were sent for all requests.
- Cookies with
SameSite=Nonemust now also specify the
Secureattribute (they require a secure context/HTTPS).
- Cookies from the same domain are no longer considered to be from the same site if sent using a different scheme (
This article documents the new standard. See Browser Compatibility below for information about specific versions where the behavior changed.