rails-template Can we make the session cookie SameSite=Strict (currently defaulting to SameSite=Lax)?

Can we make the session cookie SameSite=Strict (currently defaulting to SameSite=Lax)?

Open eoinkelly opened this issue 1 year ago • 1 comments

trafficstars

I might be missing something but I have not yet found a reason why we cannot set SameSite=Strict on the Rails session cookie. This is a very minor security win but will likely tick some lower priority boxes in pen tests.

The change would be something along the lines of:

# config/application.rb

  # Specify cookies SameSite protection level: either :none, :lax, or :strict.
  config.action_dispatch.cookies_same_site_protection = :strict # defaults to :lax

Background

https://web.dev/articles/samesite-cookies-explained

Feb 15 '24 04:02 eoinkelly

:strict makes sense as a default (as discussed at Ruby Guild on 8th March)

Mar 07 '24 22:03 lukeify

rails-template rails-template copied to clipboard

Can we make the session cookie SameSite=Strict (currently defaulting to SameSite=Lax)?

Background

rails-template
rails-template copied to clipboard