During web app penetration testing we are often asked: “If we implement the SameSite cookie attribute, will it be enough to protect the application from Cross-site Request Forgery (CSRF) attacks?
The short answer is no, primarily due to the implementation mechanism being a client –side control (it is dependent on the browser implementing the cookie attribute).
Why the SameSite cookie attribute does not replace a secure Anti-CSRF mechanism:
In most cases the SameSite cookie attribute should not be depended on as a single line of defence against CSRF attacks. However, if used in conjunction with a secure Anti-CSRF mechanism the SameSite attribute can be used to further mitigate the environment against CSRF attacks.