Conversation
There was a problem hiding this comment.
Pull request overview
Updates the Ory Hydra “Configuring cookies” guide to better explain cookie-related configuration options (especially SameSite) and common browser/runtime constraints.
Changes:
- Expands
SameSitedocumentation, including modern browser third-party cookie restrictions and legacy compatibility behavior. - Adds sections describing cookie domain, path, names (including defaults), and development-mode
Securebehavior. - Updates configuration examples to reflect the recommended settings described in the guide.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| Host Hydra on the same eTLD+1 as your application and use `SameSite=Lax` whenever possible. For cross-domain logout, prefer | ||
| [back-channel logout](./logout) over [front-channel logout](./logout) iframes. Embedding the login, consent, or other |
There was a problem hiding this comment.
This section links both "back-channel logout" and "front-channel logout" to the same target (./logout), which makes the comparison confusing. Consider linking to distinct anchors (e.g., sections for back-channel vs front-channel) or rewording to link once to the general logout guide.
| Host Hydra on the same eTLD+1 as your application and use `SameSite=Lax` whenever possible. For cross-domain logout, prefer | |
| [back-channel logout](./logout) over [front-channel logout](./logout) iframes. Embedding the login, consent, or other | |
| Host Hydra on the same eTLD+1 as your application and use `SameSite=Lax` whenever possible. For cross-domain logout, see the | |
| [logout guide](./logout) and prefer back-channel logout over front-channel logout iframes. Embedding the login, consent, or other |
| The `serve.cookies.same_site_mode` setting controls the | ||
| [`SameSite`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value) attribute. | ||
| Allowed values are `Strict`, `Lax`, or `None`. The default is `None`. | ||
|
|
||
| ```yaml | ||
| serve: | ||
| cookies: | ||
| same_site_mode: Strict | ||
| same_site_mode: Lax | ||
| ``` |
There was a problem hiding this comment.
The text says the default serve.cookies.same_site_mode is None, but the immediately following YAML example sets it to Lax without explaining that this is a recommended override. To avoid readers thinking Lax is the default, either adjust the example to show None or add a short note that the snippet is an example recommendation.
Related Issue or Design Document
Checklist
If this pull request addresses a security vulnerability,
I confirm that I got approval (please contact security@ory.com) from the maintainers to push the changes.
Further comments