Django session cookie SameSite disabled
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
Django SESSION_COOKIE_SAMESITE is set to None, so the session cookie rides along on cross-site requests and widens CSRF exposure.
Why it matters
SESSION_COOKIE_SAMESITE = None removes the SameSite restriction, so the browser attaches the session cookie to cross-site requests. That widens the surface for CSRF-style attacks where another site triggers authenticated actions in the user's session. Lax is the sensible default for a session cookie.
How to fix it
Set SESSION_COOKIE_SAMESITE = 'Lax' (or 'Strict' if the app has no legitimate cross-site navigation into authenticated pages). Use 'None' only when you genuinely need cross-site cookie delivery, and then only together with Secure. Review any embedded or cross-origin flows before loosening this.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo