# Same Site Cookie Analyzer PRO
| Category | Severity | Time To Fix |
|---|---|---|
| 🛡️ Security | ⚠️ Critical | 1 minute |
Class: Enlightn\EnlightnPro\Analyzers\Security\SameSiteCookieAnalyzer
# Introduction
This analyzer confirms that your application sets a secure 'SameSite' cookie attribute on your session cookies. Note that this is also the default value for all cookies in your application.
The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context. It allows 3 values:
- Lax: Cookies are not sent on normal cross-site subrequests but are sent when a user is navigating to the origin site.
- Strict: Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.
- None: Cookies will be sent in all contexts, i.e in responses to both first-party and cross-origin requests. This is a dangerous setting and can expose your application to possible CSRF attacks.
Laravel also allows a null value, which means that the SameSite attribute will not be specified in the cookie. This is also a dangerous setting because it defaults depending on the browser version. New browser versions have a default of Lax whereas older browser versions have a default of None.
# How To Fix
To fix this issue, simply set the same_site configuration option in your config/session.php file to "lax" or "strict":
/*
|--------------------------------------------------------------------------
| Same-Site Cookies
|--------------------------------------------------------------------------
|
| This option determines how your cookies behave when cross-site requests
| take place, and can be used to mitigate CSRF attacks. By default, we
| will set this value to "lax" since this is a secure default value.
|
| Supported: "lax", "strict", "none", null
|
*/
'same_site' => 'lax',