Learn about CSRF (cross-site request forgery) protection and how Corbado’s session management uses it.
sameSite
attribute of both cookies to lax
. When the sameSite attribute is set to lax
, the browser only sends cookies for requests originating from the same top-level domain (the domain visible in the browser’s address bar). Consequently, if a user visits a malicious site, requests from that site will not include the session cookies.