Why is CSRF necessary?

[musjj]

The guide recommends implementing CSRF protection via a middleware: https://lucia-auth.com/sessions/cookies/nextjs

But if you set your cookies with SameSite=Lax, isn't it good enough to prevent CSRF? What kind of attacks is the additional middleware preventing?

[pilcrowonpaper]

1. There's still like 1-5% of users who don't use browser's that support SameSite=Lax
2. Rare, but SameSite doesn't protect you from cross-origin request forgery

https://thecopenhagenbook.com/csrf#samesite-cookie-attribute

[musjj]

Rare, but SameSite doesn't protect you from cross-origin request forgery

Thanks, I didn't know that there's a difference between a site and origin. I also found this article which further explains the difference: https://jub0bs.com/posts/2021-01-29-great-samesite-confusion