SameSite Cookie
// Definition
The SameSite attribute on a Set-Cookie header controls whether the browser sends the cookie on cross-site requests. Three values: Strict (cookie sent only on same-site requests — most restrictive, breaks some OAuth redirect flows); Lax (cookie sent on same-site requests and top-level navigations — the browser default since 2020); None (cookie sent on all requests including cross-origin — requires the Secure flag or modern browsers silently drop it). Testing checklist: session and auth cookies should be Lax or Strict; cross-origin API clients that send cookies must use SameSite=None; None without Secure is a common misconfiguration that causes silent cookie rejection rather than an error response.
// Related terms
Cookie
A small name-value string the browser stores and automatically attaches to every request matching the cookie's domain and path. Set by the server via the Set-Cookie response header; read by the server from the Cookie request header; readable by JavaScript via document.cookie unless the HttpOnly flag is set. Key security attributes: HttpOnly (blocks JS access, mitigating XSS token theft); Secure (HTTPS-only transmission); SameSite (controls cross-site attachment — Strict, Lax, or None); Domain and Path (request scope). QA testing checklist: session cookies must have HttpOnly and Secure; auth cookies should be SameSite=Lax or Strict; sensitive data should not be stored in cookie values unencrypted; cookies should expire or be cleared on logout.
CSRF (Cross-Site Request Forgery)
An attack that tricks an authenticated user's browser into sending a state-changing request to a site they are logged into, without their knowledge. Because the browser automatically attaches session cookies, the target server sees a legitimate-looking request. Classic mitigations: synchroniser tokens (a server-issued nonce added to forms and verified on submission), SameSite cookie attributes, and checking the Origin or Referer header. From a QA perspective: every state-changing endpoint (POST, PUT, PATCH, DELETE) should require a valid CSRF token or rely on SameSite=Strict/Lax cookies.
Session
A server-side or client-side record that persists a user's authenticated state across requests. Sessions are created on login, referenced by a session ID sent in a cookie or header, and invalidated on logout or expiry. Testing considerations include: session fixation (attacker sets the victim's session ID before login), failure to rotate the ID after privilege escalation, excessively long session lifetimes that extend exposure after credential compromise, and whether logout actually invalidates the server-side session.
HTTP Header
A key-value metadata field attached to an HTTP request or response, transmitted before the body. Request headers describe the client and request context (User-Agent, Accept, Content-Type, Authorization, Cookie); response headers describe the server's response and instruct the client (Content-Type, Set-Cookie, Cache-Control, CORS access-control headers, security headers). Header names are case-insensitive. QA testing checklist: assert Content-Type matches the body format; verify security headers are present on responses (HSTS, CSP, X-Frame-Options, X-Content-Type-Options); confirm sensitive request headers (Authorization, Cookie) are not logged or exposed in error responses; verify CORS headers permit only expected origins.