site logo

StacknaticWebsite & Mobile App Development

Stacknatic logo

We Care About Your Privacy

Stacknatic utilizes technologies, such as cookies, to enhance your browsing experience. By using this technology, you can be provided with a more personalized and seamless interaction with this website. By continuing, you agree with the Privacy Policy of Stacknatic.

Privacy Policy | Terms of Use
Home/blog/SameSite attribute explained in simple terms

SameSite attribute explained in simple terms

featured image for SameSite attribute explained in simple terms

Published on: March 11, 2024 (Updated on: July 14, 2024)

Table of Contents

  • What is SameSite?
  • Below is an explanation of the three SameSite Settings:
  • Let's break down the None setting:
  • Why Does SameSite Matter?
  • How Does SameSite Affect You?
  • Making the Right SameSite Choice:

Cookies help websites remember you. They're like little reminders for the website about your visit. But these cookies need rules to work safely. One key rule is the SameSite attribute. It helps websites be more secure. Now, let's dive into what SameSite really means.

What is SameSite?

SameSite is a tag added to cookies. It tells the browser how to handle your cookies based on where you're surfing from. It has three settings: `Strict`, `Lax`, and `None`. Each setting changes how cookies travel between websites.

Below is an explanation of the three SameSite Settings:

1. Strict: This is the strictest setting. The cookie will only work if you're on the website that created it. If you click a link from another site, the cookie won't come along. This is great for keeping your data safe but might make some website functions less smooth.

Let me clarify how the strict setting works:

When you're using a cookie with the Strict setting from site1.com, and you move to site2.com, your site1.com cookie won't be visible or accessible on site2.com. The Strict setting makes sure your cookie is only used where it was originally set, which in this example is at site1.com.

This restriction helps in keeping your browsing secure as it prevents other sites (like site2.com) from seeing or interacting with your site1.com cookies. In simple terms, your site1.com cookie stays put on site1.com, regardless of where else you go browsing.

2. Lax: A bit more flexible than Strict. Here, cookies are sent with top-level navigation. That means if you click a link to a site, its cookies come too, but not during background fetching. This setting balances security and user experience.

With the Lax setting, here's how it works:

Suppose you have a cookie from site1.com with the Lax setting. If you directly visit site1.com, the cookie works just fine, doing its job, like keeping you logged in. Now, let's say you find a link to site1.com on site2.com and click on it. In this case, because of the Lax setting, your site1.com cookie will still come into play when you land on site1.com through the link from site2.com. This allows a smoother experience for activities like logging in automatically or filling forms.

However, if the interaction with site1.com occurs in a less direct way, such as through an embedded image or AJAX request from site2.com, then the cookie won't be sent. It's mainly about enhancing security while still enabling a user-friendly browsing experience by recognizing your visits to familiar sites through direct navigation actions, like clicking a link.

3. None: This setting lets cookies travel freely from one site to another, no restrictions. But, browsers now demand these cookies be tagged as `Secure`. It means they can only move over HTTPS, protecting the data in transit.

Let's break down the None setting:

When a cookie is set with the None setting, it means this cookie isn't restricted by the site it's on when it's sent with your requests. So, sticking with our earlier example, if you have a cookie from site1.com with the None setting, this cookie can be included in requests to site1.com even if you're visiting from api.site1.com or any other site.

Especially useful for features that involve different websites working together, like embedding content from site1.com on api.site1.com, these cookies ensure a seamless experience. But, there's an important security measure in place: cookies marked as None must also be tagged with `Secure`. This means they're only sent over HTTPS, adding a layer of protection since the data in the cookie is encrypted during its journey through the internet.

This setup favors functionality, enabling services that rely on cookies across different websites to function properly, but with the added safeguard of encryption. This way, it adds flexibility for web developers while still caring for the user's security.

Why Does SameSite Matter?

Privacy and security online are big deals. SameSite guards against attacks where bad actors might trick you into actions you didn’t mean to take. Imagine someone steals your cookie. If they do, they might access sites pretending to be you. SameSite helps prevent such scenarios by controlling when and where your cookies can be sent.

How Does SameSite Affect You?

If you're just browsing, you may not notice it working. It's more about behind-the-scenes safety. But developers care a lot about SameSite because they need to make sure their sites work right and stay safe. For users, it means enjoying the web with a bit more peace of mind.

For site creators, understanding SameSite is vital. Making the wrong choice could break site features or lessen security. It's about finding the right balance.

Making the Right SameSite Choice:

When deciding, think about your site's needs:

- Use Strict for maximum security. Good for internal sites.

- Lax is a safe default. It balances usability and security.

- Choose None only if you really need cookies to follow the user across different sites. And remember to secure it with HTTPS.

In short, SameSite helps keep your web experience safe. It might seem technical, but it's about making sure your digital footsteps are protected, ensuring a safer browsing journey.

See more posts in Websites
Author:author's avatarMichael Akerele