Skip to main content

Common CSRF pitfalls

Same-site in Chrome

Google Chrome changed the behavior of SameSite=None so that it isn't possible to use this SameSite mode without the HTTP Cookie secure flag.

If you run a version of Ory Hydra 1.6 and below and experience this issue:

  • Make sure to not use the --dev flag
  • Set configuration value serve.cookies.same_site_mode or environment variable SERVE_COOKIES_SAME_SITE_MODE to Lax - this happens automatically for Ory Hydra v1.7.0 when running in HTTP mode.

Chrome rejects cookies without the secure flag if a cookie with the same name for the same scope (domain, path) is set that has the secure flag. Ory Hydra 1.7.0+ uses different names for cookies with and without secure flag. For versions prior to that, you need to delete the cookies for the domain in order to get them working again.

Ory Hydra Running Over HTTP Without dev-mode Enabled

You are running Ory Hydra via HTTP but are missing the --dev CLI flag:

hydra serve all -c path/to/config.yml --dev

Mixing up 127.0.0.1 and localhost

Use either 127.0.0.1 or localhost - so either IPs or hostnames - throughout your flow because cookies from an IP aren't available to the hostname and vice-versa.

Reverse proxy or load balancers

You are running Ory Hydra behind a reverse proxy that strips the Cookie header. If the reverse proxy supports path rewrites that might also cause issues!