Samesite requests, cookies

i have an API i am creating, that can be accessed via any domain.
I keep getting the warning in chrome about the samesite on the cookies needing to be using “None” or they wont work soon.
What it the correct setting to have in my API to allow requests from any domain, or from a list of domains from a database?
I will be using the CSRF Protection and authentication/cookies/sessions via the requests.

You can’t really use CSRF when you are dealing with API only application since CSRF relies on backend to insert CSRF into rendered HTML (correct me if I’m wrong)

But since you are dealing with API and front as totally separate things there is no way to use them together safely.

You should look into JWT for API only projects :slight_smile:

what if i control the frontend tho. It just the domain name that could be anything that the customer uses.
I think the main issue is this all new cookie values google are forcing… The value “none” that needs to be used. How is adonis working to use it?

Just to clarify, are you using Adonis to render views with Edge?

Since step 2 under How It Works requires Adonis to render views https://adonisjs.com/docs/4.1/csrf#_how_it_works

If backend is not rendering views, then you can’t use CSRF at all and should disable it

no, i dont use it to render the views. I am using cookies for the CSRF, which works. but it might stop working soon due to the changes chrome are making and i want to know what adonis is going to do about these chrome cookie changes.

Aaah, I totally missunderstood :sweat_smile:

You can change CSRF cookie settings from config/shield.js in csrf.cookieOptions. In your case you’r looking for sameSite option

yes, but adonis does not yet seem to work with the new value “None”

Adonis used some library under the hood. Could try sending “None” to there directly. I’m not near any Adonis V4 apps currently to look it up from src code. But value you passed into config got sent directly to that underlying library