What is the default SameSite value?

Modern browsers treat a cookie with no SameSite attribute as Lax by default. Lax sends the cookie on same-site requests and on top-level cross-site navigations (like clicking a link) but not on cross-site subresource loads or background fetches.

Why does SameSite=None require Secure?

Browsers reject SameSite=None unless the cookie also has the Secure attribute, meaning it is only sent over HTTPS. This prevents cross-site cookies from travelling over plaintext connections where they could be intercepted.

When should I use SameSite=Strict?

Use Strict for high-sensitivity cookies like session tokens for an admin panel. The cookie is withheld on every cross-site request, including top-level navigation, so a user following a link from another site will appear logged out until they navigate within the site.

What breaks with third-party cookie deprecation?

Cross-site cookies — those with SameSite=None — are increasingly blocked by browsers regardless of Secure. Flows that rely on third-party cookies (embedded widgets, some SSO and ad attribution) need alternatives like CHIPS partitioned cookies or the Storage Access API.

Does this tool set any cookies?

No. It only describes sending behaviour per request type. Nothing is stored or transmitted.

SameSite Cookie Attribute Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

The SameSite cookie attribute controls whether a cookie accompanies requests that originate from a different site, which is the core defence against cross-site request forgery (CSRF) and a key lever in third-party cookie deprecation. This reference covers the three values and shows, per request type, whether the cookie is sent.

How it works

The browser classifies each request as same-site or cross-site relative to the cookie’s domain, then applies the attribute:

Set-Cookie: session=abc; SameSite=Lax; Secure; HttpOnly
Set-Cookie: widget=xyz; SameSite=None; Secure

Strict sends the cookie only on same-site requests. Lax (the default) adds one exception — top-level cross-site navigations using a safe method, such as clicking a link. None sends the cookie on all cross-site requests but is rejected unless paired with Secure. Even None; Secure cookies are now frequently blocked as part of third-party cookie phase-out.

Tips and notes

Default to Lax; reserve Strict for the most sensitive session cookies.
SameSite=None without Secure is rejected — always pair them.
For embedded cross-site cookies, consider CHIPS (Partitioned) or the Storage Access API.
Lax still permits the cookie on top-level GET navigations, so it is not full CSRF immunity — also use CSRF tokens.
A subresource (image, script, fetch) to your own site from a third-party page is cross-site and follows these rules.

SameSite Cookie Attribute Reference

Email me this result

Deciding when a cookie crosses sites

How it works

Tips and notes