Facebook Pixel

Do I need CSRF tokens if I use sameSite cookies?

With sameSite 'lax' or 'strict', CSRF is largely handled because cross-site requests do not include the cookie. For sameSite 'none' (third-party embeds), you need CSRF tokens (e.g., csurf middleware).

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in Cookie Security in Node.js Explained

httpOnly (no script access), secure (HTTPS only), sameSite ('lax' or 'strict' for CSRF protection), maxAge (match token expiry), domain (for subdomain sharing), path (for restriction), and signed (tamper detection with cookie-parser).

Scripts cannot read the cookie. Only the browser sends it on requests. Protects against XSS-driven cookie theft. Without httpOnly, any script (including injected ones) can read the cookie.

Controls when the cookie is sent on cross-site requests. 'strict' never sends it cross-site (strongest CSRF protection). 'lax' sends it on top-level navigations (good balance). 'none' always sends it (requires secure: true; use only for third-party embeds).

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.