I think Set-Cookie string in the response header is constructed in the following code: https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io... As Bill already mentioned, a new attribute should be added in Cookie interface and Impl: https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io... https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io... In addition, it looks ServletCookieAdaptor also needs to be modifed because this class implements the above Cookie interface. However, Servlet API javax.servlet.http.Cookie does not have support for such SameSite attribute, so I think this one should not do anything: https://github.com/undertow-io/undertow/blob/master/servlet/src/main/java... I've just created a possible proposed patch to add SameSite Cookie support: https://github.com/undertow-io/undertow/compare/master...msfm:master_Same... With this, you can add SameSite attirubte like: Undertow server = Undertow.builder() .addHttpListener(8080, "localhost") .setHandler(new HttpHandler() { @Override public void handleRequest(final HttpServerExchange exchange) throws Exception { Cookie cookie = new CookieImpl("testCookie", "testValue").setSameSite(""); // Cookie cookie = new CookieImpl("testCookie", "testValue").setSameSite("Strict"); // Cookie cookie = new CookieImpl("testCookie", "testValue").setSameSite("Lax"); exchange.setResponseCookie(cookie); exchange.getResponseHeaders().put(Headers.CONTENT_TYPE, "text/plain"); exchange.getResponseSender().send("Hello World"); } }).build(); server.start(); Masafumi On Fri, Mar 3, 2017 at 4:26 AM, Bill O'Neil <bill(a)dartalley.com&gt; wrote: https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io... https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io... > CookieUtil https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io... > Setting a response cookie https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io... > This was just a quick glance. I'm not sure exactly where the header is set > but this should be a good start. > Bill > On Thu, Mar 2, 2017 at 2:15 PM, Sven Kubiak <sven(a)kubiak.me&gt; wrote: >>> I have looked at the current Cookie Implementation in Undetow, and it >> seems like there is no support for the Same-Site Cookie Attribute. >>>>> See: https://scotthelme.co.uk/csrf-is-dead/ >>>>> I’ll be happy to create a pull request, if someone could point me to the >> right classes (and test cases) where the response headers for the cookies >> are being set. >>>>> Best regards, >>> Sven >>>> _______________________________________________ >> undertow-dev mailing list >> undertow-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev > _______________________________________________ > undertow-dev mailing list > undertow-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev