Cookies with the SameSite attribute set to 'None' will be sent with cross-origin requests. This can sometimes allow for Cross-Site Request Forgery (CSRF) attacks, in which a third-party site could perform actions on behalf of a user, if the cookie is used for authentication.

Set the samesite to Lax or Strict, or add ; SameSite=Lax;, or ; SameSite=Strict; to the cookie's raw header value. The default value in most cases is Lax.

In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the case marked BAD they are not set.

MDN: Set-Cookie.

OWASP: SameSite.