I propose to add the sameSite attribute to the cfcookie tag. This cookie attribute will help to prevent Cross-Site Request Forgeries.
See: https://scotthelme.co.uk/csrf-is-dead/
can you add the ACF-compat label
the new ACF syntax throws
samesite="Strict | Lax | None" and the “secure” options are very useful in cookies setting.
Now I use below Header string to the httpd config, but at lucee level will be better:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
, I added the label.
cleaned up the PR
PR to enable samesite strict for the admin