Does SameSite Provide Sufficient CSRF Defence?

During web security assessments we are often asked: “If we implement the SameSite cookie attribute, will it be enough to protect the application from Cross-site Request Forgery (CSRF) attacks?

The short answer is no, primarily due to the implementation mechanism being a client –side control (it is dependent on the browser implementing the cookie attribute).

Why the SameSite cookie attribute does not replace a secure Anti-CSRF mechanism:

  • The control is implemented client-side, and is not as secure as a server-side per request-based mechanism.
  • Many frameworks support GET and POST HTTP response methods, by simply changing the request method to GET the cookie would be sent without the additional client-side protection provided by the SameSite attribute.
  • Legacy clients (old web browsers) may not support the SameSite attribute, and therefore ignore the cookie attribute.

When is the SameSite Cookie Attribute Useful?

In most cases the SameSite cookie attribute should not be depended on as a single line of defence against CSRF attacks. However, if used in conjunction with a secure Anti-CSRF mechanism the SameSite attribute can be used to further mitigate the environment against CSRF attacks.