Hacker News new | past | comments | ask | show | jobs | submit login

that's the root of it right? Many app servers or "wafs" inject/validate csrf tokens on requests/responses. There may be a way to set the SameSite flag on cookies at the server level without even having to touch app code. "if SameSite isn't set then set it to None".

I've been running into this issue in an number of projects all involving SSO and custom in-house IDP implementations. It's an easy fix but getting the teams together and coordinated has been the hardest part.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: