Configure SameSite value in cookie

The SameSite attribute on a cookie tells the web browser whether the cookie should be included with cross-site requests, helping to mitigate Cross-Site Request Forgery (CSRF) attacks. The attribute has three possible values :

Strict: The cookie is only sent in a first-party context, blocking its inclusion in cross-site requests from third-party websites.
Lax: The cookie can be sent with cross-site GET requests triggered by top-level navigation from third-party websites, such as when a user clicks a link on an external site.
None: The cookie is explicitly configured to be sent by the browser in all contexts, including cross-site requests.

By default, the SameSite value is set to “lax“.

To change its value, pass cookie-samesite in the custom-values.yaml like this:

kfuse-auth:
  oauth2-proxy:
    extraArgs:
      cookie-samesite: "strict"