site logo

Stacknatic

Stacknatic logo

We Care About Your Privacy

Stacknatic utilizes technologies, such as cookies, to enhance your browsing experience. By using this technology, you can be provided with a more personalized and seamless interaction with this website. By continuing, you agree with the Privacy Policy of Stacknatic.

Privacy Policy | Terms of Use
SameSite attribute explained in simple terms | Stacknatic
Home/blog/SameSite attribute explained in simple terms

SameSite attribute explained in simple terms

featured image for SameSite attribute explained in simple terms

Published on: March 11, 2024 (Updated on: July 14, 2024)

Table of Contents

  • What is SameSite?
  • Below is an explanation of the three SameSite Settings:
  • Let's break down the None setting:
  • Why Does SameSite Matter?
  • How Does SameSite Affect You?
  • Making the Right SameSite Choice:

Cookies help websites remember you. They're like little reminders for the website about your visit. But these cookies need rules to work safely. One key rule is the SameSite attribute. It helps websites be more secure. Now, let's dive into what SameSite really means.

What is SameSite?

SameSite is a tag added to cookies. It tells the browser how to handle your cookies based on where you're surfing from. It has three settings: `Strict`, `Lax`, and `None`. Each setting changes how cookies travel between websites.

Below is an explanation of the three SameSite Settings:

1. Strict: This is the strictest setting. The cookie will only work if you're on the website that created it. If you click a link from another site, the cookie won't come along. This is great for keeping your data safe but might make some website functions less smooth.

Let me clarify how the strict setting works:

When you're using a cookie with the Strict setting from site1.com, and you move to site2.com, your site1.com cookie won't be visible or accessible on site2.com. The Strict setting makes sure your cookie is only used where it was originally set, which in this example is at site1.com.

This restriction helps in keeping your browsing secure as it prevents other sites (like site2.com) from seeing or interacting with your site1.com cookies. In simple terms, your site1.com cookie stays put on site1.com, regardless of where else you go browsing.

2. Lax: A bit more flexible than Strict. Here, cookies are sent with top-level navigation. That means if you click a link to a site, its cookies come too, but not during background fetching. This setting balances security and user experience.

With the Lax setting, here's how it works:

Suppose you have a cookie from site1.com with the Lax setting. If you directly visit site1.com, the cookie works just fine, doing its job, like keeping you logged in. Now, let's say you find a link to site1.com on site2.com and click on it. In this case, because of the Lax setting, your site1.com cookie will still come into play when you land on site1.com through the link from site2.com. This allows a smoother experience for activities like logging in automatically or filling forms.

However, if the interaction with site1.com occurs in a less direct way, such as through an embedded image or AJAX request from site2.com, then the cookie won't be sent. It's mainly about enhancing security while still enabling a user-friendly browsing experience by recognizing your visits to familiar sites through direct navigation actions, like clicking a link.

3. None: This setting lets cookies travel freely from one site to another, no restrictions. But, browsers now demand these cookies be tagged as `Secure`. It means they can only move over HTTPS, protecting the data in transit.

Let's break down the None setting:

When a cookie is set with the None setting, it means this cookie isn't restricted by the site it's on when it's sent with your requests. So, sticking with our earlier example, if you have a cookie from site1.com with the None setting, this cookie can be included in requests to site1.com even if you're visiting from api.site1.com or any other site.

Especially useful for features that involve different websites working together, like embedding content from site1.com on api.site1.com, these cookies ensure a seamless experience. But, there's an important security measure in place: cookies marked as None must also be tagged with `Secure`. This means they're only sent over HTTPS, adding a layer of protection since the data in the cookie is encrypted during its journey through the internet.

This setup favors functionality, enabling services that rely on cookies across different websites to function properly, but with the added safeguard of encryption. This way, it adds flexibility for web developers while still caring for the user's security.

Why Does SameSite Matter?

Privacy and security online are big deals. SameSite guards against attacks where bad actors might trick you into actions you didn’t mean to take. Imagine someone steals your cookie. If they do, they might access sites pretending to be you. SameSite helps prevent such scenarios by controlling when and where your cookies can be sent.

How Does SameSite Affect You?

If you're just browsing, you may not notice it working. It's more about behind-the-scenes safety. But developers care a lot about SameSite because they need to make sure their sites work right and stay safe. For users, it means enjoying the web with a bit more peace of mind.

For site creators, understanding SameSite is vital. Making the wrong choice could break site features or lessen security. It's about finding the right balance.

Making the Right SameSite Choice:

When deciding, think about your site's needs:

- Use Strict for maximum security. Good for internal sites.

- Lax is a safe default. It balances usability and security.

- Choose None only if you really need cookies to follow the user across different sites. And remember to secure it with HTTPS.

In short, SameSite helps keep your web experience safe. It might seem technical, but it's about making sure your digital footsteps are protected, ensuring a safer browsing journey.

See more posts in Websites
Author:author's avatarMichael

Recommended Posts

featured image for How to Create a Django Web App (with Custom User Model)

How to Create a Django Web App (with Custom User Model)

Learn how to create a Django web app with a custom user model, covering setup and the essential steps to tailor your application to your needs.

featured image for CSRF Attack and Implications Explained in Simple Terms With Example

CSRF Attack and Implications Explained in Simple Terms With Example

An explanation of Cross-Site Request Forgery (CSRF) attack, its implications, and effective strategies to protect web applications from unauthorized actions.

featured image for How to Trap Focus in Next.js and React

How to Trap Focus in Next.js and React

Trapping focus ensures that keyboard users can navigate your component without losing focus elsewhere on the page. Learn how to trap focus in React and Next.js.

featured image for How to Implement Debouncing in Next.js

How to Implement Debouncing in Next.js

Debouncing can be used to prevent performance issues or data inaccuracies that may arise from multiple component renderings or repetitive user actions.

featured image for Mutable vs Immutable Data in JavaScript and React.js

Mutable vs Immutable Data in JavaScript and React.js

In programming, data structures can generally be classified as either mutable or immutable. Here is a simplified explanation of both in JavaScript and React.js.