Do I still need CSRF protection when SameSite is set to Lax?

You still need "traditional" CSRF-protection. Maybe this will change in the years to come, but as of writing the SameSite attribute should be viewed more as defense in depth than your one and only line of defence. This is for a few reasons:

  • According to caniuse.com, there is currently only browser support for 85% or 92% (if you count partial support) of global users. For instance IE 11 on Windows 8 (still used in many offices around the world) doesn't support it, and neither does the UC Browser on Android.
  • Relying on browsers to auto upgrade to Lax is even worse, since not all supporting browsers do this. I don't have any numbers, though. But at the very least, you need to explicitly set the flag.
  • Do you really trust all current and future developers of your application to never change server state on a GET request? I wouldn't do so - I would not even trust myself. If you want to rely on SameSite, set it to Strict.
  • If you do not trust your subdomains, SameSite will not help you. See this great article by jub0bs.
  • As I write in this answer (second bullet point) there are some cases where you will always need a traditional CSRF-defence.

TL;DR: Just the SameSite flag is not enough to protect your users from CSRF.


SameSite=Lax means NO CSRF protection for GET requests.

According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Cookies are allowed to be sent with top-level navigations and will be sent along with GET request initiated by third party website. This is the default value in modern browsers.

In an ideal case, that may be sufficient CSRF protection. But the real world is far from ideal. Web APIs with non-safe GET requests are far from rare (a GET request that changes a server-state, although it shouldn't, according to the HTTP specifications).

Also, not all browsers correctly implement the samesite flag (yet): https://caniuse.com/#feat=same-site-cookie-attribute

And some older never will.

It's safer to implement additional explicit CSRF protection like synchronizer token pattern.


With samesite being supported in all major browsers, it's a borderline issue.

  • As a developer, I typically use either a framework with built-in CSRF protection (e.g. Spring Security) or Ajax endpoints. Implementing CSRF protection is no hassle, and I continue to use it now we have samesite cookies.

  • As a pen tester, I'd raise lack of CSRF protection on POST requests as low-risk or informational. If a GET request allowed an action, I'd flag at a higher risk level, depending on what actions were vulnerable.

Tags:

Csrf

Web Application

Same Site Cookies

Related

How can we eliminate passwords given the problems with biometric authentication? What information does ssh -vvv expose? Does legitimate tech support use remote control software? What is the suggested best practice for changing a user's email address? Are there security reasons for prohibiting universal mac address modification? How does releasing exfiltrated data increase the chances of an attacker getting caught? Is starting an AWS instance with only ssh to port 22 significantly insecure? What's the point of Microsoft Account 2FA if it still lets me log in using password instead? How does a 'rainbow table' hacker obtain password hashes in the first place? Where should I store a username during a password reset? How can malware discover the real IP of a TAILS user? What is the risk of having a 2FA key permanently plugged into my device?

Recent Posts