Which cookie attribute prevents the cookie from being sent on cross-site requests?

1HttpOnly
2Secure
3SameSite✓ correct
4Domain
SameSite=Lax/Strict restricts cross-site sending (a CSRF mitigation). HttpOnly hides the cookie from JavaScript; Secure restricts it to HTTPS.

SameSite controls cross-site sending; HttpOnly blocks JS access; Secure requires HTTPS.

References

MDN Set-Cookie

Practice this in the app →