From 8342e6871214defcc98ca5c27ea66f118be4d60c Mon Sep 17 00:00:00 2001
From: Koda Reef <koda.reef5@gmail.com>
Date: Sun, 22 Mar 2026 23:51:28 +0000
Subject: [PATCH] Default SESSION_COOKIE_SAMESITE to "Lax"

Change the default value of SESSION_COOKIE_SAMESITE from None to
"Lax". When set to None, Flask does not include the SameSite
attribute on session cookies, relying on browser defaults.

While modern browsers default to Lax behavior when the attribute is
absent, setting it explicitly ensures consistent CSRF defense across
all browser versions, including older ones that do not apply the Lax
default.

Django has defaulted to "Lax" since 2.1 (2018). This aligns Flask
with the ecosystem standard.

Applications that require cross-site cookie behavior can set
SESSION_COOKIE_SAMESITE to None (with SESSION_COOKIE_SECURE=True).
---
 src/flask/app.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/flask/app.py b/src/flask/app.py
index 652b9bbf..d7b86d68 100644
--- a/src/flask/app.py
+++ b/src/flask/app.py
@@ -221,7 +221,7 @@ class Flask(App):
             "SESSION_COOKIE_HTTPONLY": True,
             "SESSION_COOKIE_SECURE": False,
             "SESSION_COOKIE_PARTITIONED": False,
-            "SESSION_COOKIE_SAMESITE": None,
+            "SESSION_COOKIE_SAMESITE": "Lax",
             "SESSION_REFRESH_EACH_REQUEST": True,
             "MAX_CONTENT_LENGTH": None,
             "MAX_FORM_MEMORY_SIZE": 500_000,