SameSite Cookie Attribute


SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage. Example:
Set-Cookie: jsessionid=asdiifiwiaifiai; secure; HttpOnly; SameSite=Lax

The default lax value provides a reasonable balance between security and usability for websites that want to maintain user’s logged-in session after the user arrives from an external link. The session cookie would be allowed when following a regular link from an external website while blocking it in CSRF-prone request methods (e.g. POST).

It think Ghost could use that too as it’s backwards compatible as well:


Hey @thde :wave: Which cookie are you referring to?


The express:sess one. As it’s the only one I see, I assume it’s used for private instances?