Skip to main content

Advanced base URL, CSRF and session cookie settings

This document describes advanced strategies for multi-domain environments and other scenarios.

Base URL

The public base URL (serve.public.base_url) is used to compute redirect URLs, form action URLs, and more.


Ory Kratos' browser features rely heavily on HTTP Cookies to mitigate common attack vectors and make the integration as easy as possible to use. Therefore it is important to know that

  1. HTTP Cookies ignore ports, meaning the browser will send a cookie it received for to as well.
  2. Subdomains can set HTTP Cookies for parent domains, meaning a HTTP Cookie specifying will be allowed to set even if the URL is or

You can adjust the session cookie's domain using:

# Settings for both anti-CSRF and session cookies
path: /cookies
same_site: Lax

# Overrides cookies.domain for session cookies

# Overrides cookies.path for session cookies
path: /

# Overrides cookies.samesite for session cookies
same_site: Strict

At the moment it isn't possible to set up Ory Kratos in a way where you get session cookies running on two separate top level domains (for example and This is tracked as kratos#662.