INSPECT.

32 cookies cataloged with attribute-level inspection. 8 missing SameSite=Lax/Strict in production traffic. 4 set without the Secure flag on HTTPS-only domains.

A cookie without SameSite is a CSRF waiting for the right click.

CI-022 · _ga_session · marketing.com SAMESITE NONE

SameSite=None · Secure=true · HttpOnly=false. Spec: should be Lax.

Set SameSite=Lax, HttpOnly=true, audit Chrome devtools issues.