6

I am not able to see SameSite=Strict using builtin developer tools in the “Application” tab.

I have added below Header code in Apache configuration

Header always edit Set-Cookie (.*) "$1;SameSite=Strict"
Header edit Set-Cookie ^(.*)$ $1;SameSite=Strict

Please let me know how to set SameSite=Strict using above settings.

Abhishek Habbu
  • 61
  • 1
  • 1
  • 4

2 Answers2

23

For apache2 >= 2.2.4

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict

For apache2 lower than 2.2.4

Header set Set-Cookie HttpOnly;Secure;SameSite=Strict
DevAb
  • 530
  • 6
  • 12
  • 2
    The second example sets a cookie with no cookie name or cookie value. – covener Feb 05 '20 at 22:12
  • This answer stopped working somewhere between 2.4.26 and 2.4.34. Coderer's comment in an answer below, suggests switching to Header onsuccess edit... and that indeed made it work again. The module documentation appears to be totally inconsistent with the behavior. It claims onsuccess is the default (thus can be omitted), but it doesn't work without explicitly adding it now. It also claims onsuccess is for 2xx responses, but it appears to work fine with 3xx redirects both before (when onsuccess was the default) and now with it set explicitly. – Daemon42 Mar 21 '22 at 17:14
7

In my local environment (Apache 2.4) after enabling mod_headers I was able to achive this by adding directives like below in my vhost:

<ifmodule mod_headers.c>
Header always edit Set-Cookie (.*) "$1; SameSite=strict"
</ifmodule>

Where is the difference? Why it didn't work for you? Mayby its lack of "space" after semicolon?

<ifmodule mod_headers.c>
# always is similar to "onerrors"
        Header always edit Set-Cookie (.*) "$1; SameSite=strict"
# success is similar to http 2xx response code
        Header onsuccess edit Set-Cookie (.*) "$1; SameSite=strict"
# remove duplications (apache sends from both tables always and onsuccess)
        ## https://www.tunetheweb.com/security/http-security-headers/secure-cookies/
        #Strip off double SameSite=strict settings as using above you can sometimes get both
        Header edit Set-Cookie ^(.*);\s?SameSite=strict;?\s?(.*);\s?SameSite=strict;?\s?(.*)$ "$1; $2; $3; SameSite=strict"

        #Strip off double ;; settings
        Header edit Set-Cookie ^(.*);\s?;\s?(.*)$ "$1; $2"

</ifmodule>

[apache manual] (https://httpd.apache.org/docs/2.2/de/mod/mod_headers.html)

[stack discusion] (httpd duplicate Access-Control-Allow-Origin with "Header always set")

Asui
  • 116
  • 1
  • 4
  • Are there any other reasons why this wouldn't work. I'm doing exactly the same with httpd 2.4.46 but no luck. – RTF May 20 '21 at 12:22
  • 4
    I had a problem where `Header always edit` didn't work but `Header onsuccess edit` did. The [docs for mod_headers](https://httpd.apache.org/docs/current/mod/mod_headers.html#header) explain why -- `always` and `onsuccess` are just two different tables and the header you're looking for could be in either one (or both) – Coderer May 28 '21 at 14:05