cookiesspring-securitycsrfsamesite

Why is Spring Security setting CSRF cookie with SameSite=None attribute?


I have a Springboot application with Spring Security 6 and a single page application for frontend (Vue). I configured anti-CSRF using the exact same config as the one described in the documentation. The backend and the frontend are both running on localhost but on separated ports so I have CORS configuration enabled.

The XSRF-TOKEN cookie set has the attribute SameSite=None enter image description here

Why is Spring Security setting the cookie with SameSite=None?


Solution

  • Since your backend and frontend are on different ports they are not considered to be on the same site, hence SameSite is set to None otherwise you would not be getting the cookie at all.

    SameSite includes host and port.

    So localhost:8080 is not the same site as localhost:3000.

    Also please note that you cant have same site None and Secured false, Secure true is only allowed in HTTPS requests, and SameSite None is only allowed when having Secured True (so only in HTTPS requests).

    You can read more about the attributes here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value

    So this is mainly set as such because of those reasons and are a compromise to make your application working locally.