Will It Vibe logoWill It Vibe?
AUTHZ-009Low severity-4 points

Django session cookie SameSite disabled

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

Django SESSION_COOKIE_SAMESITE is set to None, so the session cookie rides along on cross-site requests and widens CSRF exposure.

Why it matters

SESSION_COOKIE_SAMESITE = None removes the SameSite restriction, so the browser attaches the session cookie to cross-site requests. That widens the surface for CSRF-style attacks where another site triggers authenticated actions in the user's session. Lax is the sensible default for a session cookie.

How to fix it

Set SESSION_COOKIE_SAMESITE = 'Lax' (or 'Strict' if the app has no legitimate cross-site navigation into authenticated pages). Use 'None' only when you genuinely need cross-site cookie delivery, and then only together with Secure. Review any embedded or cross-origin flows before loosening this.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks