SameSite protection

INFO

This feature has been introduced with Shopware version 6.4.3.1

Overview

The SameSite configuration comes with the Symfony FrameworkBundle and supersedes the removed sw_csrf Twig function. It is widely available in modern browsers and is set to lax per default.

For more information, refer to SameSite cookies site

Configuration

Changes to the cookie_samesite attribute can be applied to your framework.yaml. The cookie_secure ensures that cookies are sent via HTTP or HTTPS, depending on the request's origin.

yaml


framework:
  session:
    cookie_secure: 'auto'
    cookie_samesite: lax

If you want to deactivate the SameSite protection despite security risks, change the value from lax to null. For detailed configuration options, check the official Symfony Docs.

Catalog

Checkout

Content

Architecture

Community Setups

Plugins

Plugin fundamentals

Checkout

Cart

Document

Order

Payment

Content

CMS

Mail

Media

SEO

Sitemap

Stock

Elasticsearch

Framework

Data Handling / DataAbstractionLayer

Custom Fields

Event

Message Queue

Rule

Store API

Filesystem

Flow

Rate Limiter

Administration

Storefront

Testing

API

Themes

Apps

App Starter Guides

App SDKs

Official PHP SDK

App Scripts

Storefront

Administration

Flow Builder

Custom Data

Content

CMS

Rule Builder

Installation & Updates

Deployments

Configurations

Shopware

Framework

Observability

Performance

Infrastructure

Elasticsearch

General Concepts

Migration Assistant

Concept

Guides

B2B Suite

Concepts

Guides

Core

Storefront

B2B Components

Employee Management

Concepts

Guides

Quotes Management

Guides

Order Approval

Advanced Search

Installation

Core Reference

DAL Reference

App Reference

Script Reference

Administration Reference

Upgrades

SameSite protection

Overview

Configuration