Sensitive Cookie with Improper SameSite Attribute
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1275: Sensitive Cookie with Improper SameSite Attribute |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The session cookie is set with SameSite=None, which allows it to be sent with cross-site requests. This setting can expose the application to cross-site request forgery (CSRF) attacks.
Impact#
If exploited, attackers could trick users’ browsers into sending authenticated requests to your app from malicious sites, potentially leading to unauthorized actions or data exposure. This weakens session security and puts user accounts at risk.