Yesterday I saw a talk about the security practices used in Angular2. One thing that was completely new to me is an alternative method of defense against CSRF attacks: SameSite attribute for a cookie.

This new attribute supports two modes:

  • strict - the browser will never attach the cookie to a cross-site requests
    • this will stop all CSRF attacks
  • lax - the cookie will be present on save top-level navigations
    • e.g: the cookie will be sent on a GET request that results in a navigation of the context
    • this will stop most CSRF attacks: unless the attack can be launched with a GET request

The default setting for the SameSite attribute is strict mode.

Set-Cookie: SSID=1234; SameSite=Strict

This attribute is currently supported by Chrome and Opera, but there is no reason to not use it since other browsers will just ignore unknown attributes and you will be protected on Chrome and Opera, and of course on other browsers when they’ll support SameSite attribute.