Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on Microsoft IIS webserver.

  1. In web.config, use URL Rewrite to append SameSite=Lax or SameSite=Strict to Set-Cookie headers:

    <rewrite>
<outboundRules>
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=Lax" />
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern=".+" />
<add input="{RESPONSE_Set_Cookie}" pattern=".*SameSite.*" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>

  2. Requires the URL Rewrite module to be installed.

Back to top