tough-cookie.setcookieoptions.samesitecontext.md
April 11, 2025 ยท View on GitHub
Home > tough-cookie > SetCookieOptions > sameSiteContext
SetCookieOptions.sameSiteContext property
Set this to 'none', 'lax', or 'strict' to enforce SameSite cookies upon storage.
-
'strict'- If the request is on the same "site for cookies" (see the RFC draft for more information), pass this option to add a layer of defense against CSRF. -
'lax'- If the request is from another site, but is directly because of navigation by the user, such as,<link type=prefetch>or<a href="...">, then uselax. -
'none'- This indicates a cross-origin request. -
undefined- SameSite is not enforced! This can be a valid use-case for when CSRF isn't in the threat model of the system being built.
Defaults to undefined if not provided.
Signature:
sameSiteContext?: 'strict' | 'lax' | 'none' | undefined;
Remarks
- It is highly recommended that you read RFC6265bis - Section 8.8 which discusses security considerations and defence on SameSite cookies in depth.