Fix guide · medium · cookie_missing_samesite

Auth cookie missing SameSite flag

Why it matters

Browsers default differently. Without SameSite, you're vulnerable to CSRF on cross-site form posts. Lax is the de-facto modern default.

How to fix it

Add SameSite to every auth-shaped cookie. Most auth cookies should have all three: Secure, HttpOnly, SameSite.

The raw header to aim for:

Set-Cookie: session=abc; HttpOnly; Secure; SameSite=Lax; Path=/

Express / Connect:

res.cookie('session', token, {
  httpOnly: true, secure: true, sameSite: 'lax', path: '/',
});

Next.js Route Handlers + Server Actions:

import { cookies } from 'next/headers';
cookies().set('session', token, {
  httpOnly: true, secure: true, sameSite: 'lax', path: '/',
});

Hono (Cloudflare Workers / Deno / Bun):

import { setCookie } from 'hono/cookie';
setCookie(c, 'session', token, {
  httpOnly: true, secure: true, sameSite: 'Lax', path: '/',
});

Fastify:

reply.setCookie('session', token, {
  httpOnly: true, secure: true, sameSite: 'lax', path: '/',
});

Remix / SvelteKit (raw Response):

new Response(body, {
  headers: { 'Set-Cookie': `session=${token}; HttpOnly; Secure; SameSite=Lax; Path=/` },
});

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.