What does sameSite do for JWT cookies?
Controls when the cookie is sent on cross-site requests. 'strict' never sends it cross-site (strongest CSRF protection). 'lax' sends it on top-level navigations (good balance). 'none' always sends it (requires secure: true; use only for third-party embeds).
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in How to Securely Store JWT in Cookies
Set httpOnly: true (no script access), secure: true (HTTPS only), sameSite: 'lax' or 'strict' (CSRF protection), and maxAge matching the JWT expiry. Clear with the same options on logout.
Scripts cannot read the cookie. This protects against XSS-driven token theft. Without httpOnly, any script (including injected ones) can read the token and send it to an attacker.
The cookie is only sent over HTTPS. Without secure, the cookie is sent over HTTP too, and a man-in-the-middle can read it. Always use HTTPS in production.
Still have questions?
Browse all our FAQs or reach out to our support team
