HTTP sameSite Cookie Configuration

  • For better security, Digital.ai Release 22.1 and later support the sameSite attribute of the Set-Cookie HTTP response header allowing session cookies to be restricted to a first-party or same-site context.
  • Valid values for the new xl.server.http.cookie.sameSite configuration parameter are Lax and Strict.
  • For sites that use OIDC, the sameSite parameter must always be set to Lax.
  • For remember-me, the sameSite parameter must always be set to Strict.
xl {
    ...
    server {
        http {
            cookie {
                sameSite = Lax
            }
        }
    }
    ...
}