File length: 5211
# Post Authentication - Session Management -  Session security
Source: https://supertokens.com/docs/post-authentication/session-management/security

## Overview

The following page takes you through some common security considerations that the **SuperTokens** `Session` recipe handles.

---

## Anti-csrf

CSRF attacks can happen if a logged in user visits a malicious website which makes an API call to your website's API to maliciously change that user's data.
To protect against this attack, the cookie `sameSite` attribute works along with some anti-csrf measures.
This attribute declares if your cookies should restrict to a first-party or same-site context.
Configuring `sameSite` can prevent CSRF attacks.

For example, if `sameSite` is `lax`, the browser only sends cookies for requests that originate from the same top level domain as the API's domain.
If a user visits a malicious site, requests from those sites do not have the session cookies.

### Configure anti-csrf

:::caution
- SuperTokens automatically defends against CSRF attacks.
- Please only change this setting if you know what you are doing. If you are unsure, please feel free to [ask questions](https://supertokens.com/discord).
- This setting does not apply while using header-based authentication, since they get the same protection as `antiCsrf` set to `VIA_CUSTOM_HEADER`.
:::

You can change the `antiCsrf` configuration option to take control of the kind of protection you get.
You can use on of the following values:

- `"NONE"` would disable any anti-csrf protection from our end.
You can use this if you have an implementation of CSRF protection.
- `"VIA_CUSTOM_HEADER"` uses [this method](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#use-of-custom-request-headers) to prevent CSRF protection.
This sets automatically if `sameSite` is `none` or if your `apiDomain` and `websiteDomain` do not share the same top level domain name.
- `"VIA_TOKEN"` uses an explicit anti-csrf token.
Use this method if you want to allow any origin to query your APIs.
This method may cause issues in browsers like Safari, especially if your site embeds as an `iframe`.

<Tabs>
<Tab value="nodejs">

```tsx

SuperTokens.init({
    supertokens: {
        connectionURI: "...",
    },
    appInfo: {
        apiDomain: "...",
        appName: "...",
        websiteDomain: "..."
    },
    recipeList: [
        Session.init({
            // highlight-next-line
            antiCsrf: "VIA_CUSTOM_HEADER",  // Should be one of "NONE" or "VIA_CUSTOM_HEADER" or "VIA_TOKEN"
        })
    ]
});
```
</Tab>
<Tab value="go">

```go
The ``sameSite`` cookie attribute declares if your cookies should restrict to a first-party or same-site context.
The ``sameSite`` attribute can have three possible values:
- ``none``
  - Cookies attach in all contexts, that is, cookies attach to both first-party and cross-origin requests.
  - On Safari however, if third-party cookies do not work (which is the default behavior), and the website and `API` domains do not share the same top-level domain, then cookies do not go. Please check [the session management page](/docs/post-authentication/session-management/switch-between-cookies-and-header-authentication) to see how you can switch to using headers.
- ``lax``
  - Cookies are only sent in a first-party context and along with `GET` requests initiated by third party websites (that result in browser navigation - user clicking on a link).
- ``strict``
  - Cookies are only sent in a first-party context and not sent along with requests initiated by third party websites.

### Configuration

:::caution
- SuperTokens automatically sets the value of the ``sameSite`` cookie attribute based on your website and `API` domain configuration.
- Please only change this setting if you are a web security expert. If you are unsure, please feel free to [ask questions](https://supertokens.com/discord).
:::

<Tabs>
<Tab value="nodejs">

```tsx

SuperTokens.init({
    supertokens: {
        connectionURI: "...",
    },
    appInfo: {
        apiDomain: "...",
        appName: "...",
        websiteDomain: "..."
    },
    recipeList: [
        Session.init({
            // highlight-next-line
            cookieSameSite: "strict", // Should be one of "strict" or "lax" or "none"
        }),
    ],
});
```

</Tab>
<Tab value="go">

```go

SuperTokens.init({
    supertokens: {
        connectionURI: "...",
    },
    appInfo: {
        apiDomain: "...",
        appName: "...",
        websiteDomain: "..."
    },
    recipeList: [
        Session.init({
            //highlight-next-line
            cookieSecure: true,
        })
    ]
});
```
</Tab>
<Tab value="go">

```go

SuperTokens.init({
    supertokens: {
        connectionURI: "...",
    },
    appInfo: {
        apiDomain: "...",
        appName: "...",
        websiteDomain: "..."
    },
    recipeList: [
        Session.init({
            //highlight-next-line
            useDynamicAccessTokenSigningKey: false,
        })
    ]
});
```

:::caution
Updating this value causes a spike in the session refresh API, as and when users visit your application.
:::

</Tab>
<Tab value="go">

```go