The Beginner's Guide on SameSite requirements for cookies - SEOs and Developers need to know!

Cookie attribute settings allow you to secure cookies. Securing cookies helps in securing user identity. Cookies have been used to maintain and authenticate sessions. Traditionally, there have been 5 cookie attributes – Secure, Path, Domain, Expires, and HTTPOnly. SameSite is a new cookie attribute that prevents browsers from sending the cookie besides cross-site requests. It has been developed to mitigate the risks associated with leakage of cross-origin information. It is important for both developers and SEO Consultants to be aware of the latest SameSite requirements for cookies.

SameSite Requirements for Cookies

Chrome has recently introduced new SameSite attributes and requirements implementation for cookies. As an SEO Consultant or developer, it is important to know about the new requirements.

• New code makes use of a stricter Secure-By-Default model to get and set browser values
• Users may keep first party cookies that usually hold repetitive information
• Users may remove third-party cookies because of privacy concerns
• This makes it easier for users to control cookie permissions without having to deal with the list of unfamiliar websites

You can set 3 potential values for SameSite attribute. The values are None, Lax, and Strict.

SameSite’s primary goal is to alleviate the risks associated with cross-origin information leaks. There is also certain level of security against cross-site request forgery (CSRF) threats.

Secure By Default Model

If you are a part of a development team or SEO Services Provider company , you should realize the varied handling of third-party cookies within the browser space. Secure-by-default follows a defensive approach as the least point of trust (none) is created at first point of contact between parties.

• First-party cookies have a well-established privilege protocol for transmission
• Transmission of third-party cookies requires explicit permissions for the browser to send cookie values to the site

Even Microsoft Edge and Mozilla Firefox will embrace the change along with Chrome. Safari may be handling SameSite settings in a slightly different way. Their Intelligent Tracking Prevention has many similarities.

The new changes in SameSite policy system will require the following:

• Self-identification for third-party cookies
• Transmission over TLS connections
• Compliance with secure-by-default model
• It is essential to have Secure designation for SameSite=None attribute, else the requests are handled as SameSite=Lax and the directive gets denied

Testing SameSite=None Implementation

As an SEO Consultant India, you can test SameSite=None implementation both with and without Secure declaration. It is also possible to run tests and check SameSite console warnings within developer tools in browsers when SameSite is implemented for third-party cookies.

Preventing Cross-Site Request Forgery (CSRF)

The new policies also focus on restricting potential attacks using known Cross-Site Request Forgery vulnerabilities. Traditionally, cookie values were sent without any restrictions. Potential attackers could exploit insecure cookies implementation by a site.

• It is recommended to avoid storage of application secrets within cookie values
• It is also recommended to use anti-CSRF hidden tokens within web forms. This ensures action requests are made from valid users

This can protect against imposters making requests after hijacking user sessions.

How to Set Other SameSite Cookie Values?

Besides None, the other 2 potential values for SameSite attribute are Lax and Strict. Not all these settings can be used in all contexts.

• Strict: This value should be set with regard to first-party cookies for applications that don’t retrieve cookie values from a third-party context. It provides highest level of security, as the cookie values will not be sent in the context of third parties. It prevents the cookie from being sent even when a regular link is followed. It is most suited in examples like bank websites. There is no need for transactional pages to get linked from external websites.
• Lax: It is similar to Strict value, but has an exception. This exception is when a third-party back link click to applications causes TLS secure requests. Cookie values are sent to allow applications to work in accordance and personalize settings based on the user
• None + Secure: This allows cookie value access within third-party contexts when communications take place over TLS connections. It is considered the most open SameSite setting. This value gives you some balance between usability and security. It helps maintain logged-in sessions even after a user has returned from some external site.

So, it is important for SEO Consultancy Services and development teams to be aware of the latest SameSite requirements for cookies.