Skip to content

fix: default cookie sameSite to 'lax' instead of 'none'#190

Open
jakebromberg wants to merge 2 commits intomainfrom
fix/31-cookie-samesite
Open

fix: default cookie sameSite to 'lax' instead of 'none'#190
jakebromberg wants to merge 2 commits intomainfrom
fix/31-cookie-samesite

Conversation

@jakebromberg
Copy link
Member

@jakebromberg jakebromberg commented Feb 21, 2026

Summary

  • Bug: sameSite: 'none' in shared/authentication/src/auth.definition.ts sends cookies on all cross-site requests, weakening CSRF protection.
  • Fix: Default sameSite to 'lax' while allowing override via COOKIE_SAME_SITE env var for deployments that need cross-origin cookie behavior.
  • Test: Added source-reading unit test that asserts sameSite is never hardcoded to 'none'.

Closes #31

Test plan

  • Unit test fails with the old sameSite: 'none' value
  • Unit test passes after fix (defaults to 'lax')
  • Verify auth flows work in staging with default lax setting
  • Verify COOKIE_SAME_SITE=none env override works for cross-origin deployments

Made with Cursor

@cursoragent
fix: default cookie sameSite to 'lax' instead of 'none'
01ee215 
sameSite: 'none' sends cookies on all cross-site requests, weakening
CSRF protection. Defaulting to 'lax' while allowing env override.

Co-authored-by: Cursor <cursoragent@cursor.com>
@jakebromberg jakebromberg force-pushed the fix/31-cookie-samesite branch from c7e8f68 to 01ee215 Compare February 27, 2026 05:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jakebromberg