I might be missing something but I have not yet found a reason why we cannot set SameSite=Strict on the Rails session cookie. This is a very minor security win but will likely tick some lower priority boxes in pen tests.

The change would be something along the lines of:

# config/application.rb

  # Specify cookies SameSite protection level: either :none, :lax, or :strict.
  config.action_dispatch.cookies_same_site_protection = :strict # defaults to :lax

Background

• https://web.dev/articles/samesite-cookies-explained