When you use the CORS technology, Avaya Aura® Device Services might receive cross-origin HTTP requests from a different domain. To prevent cross-site request forgery attacks, you can use the SameSite attribute to specify when Avaya Aura® Device Services sends cookies in response to cross-origin requests. The SameSite attribute can have one of the following values:

• Strict: Avaya Aura® Device Services only sends cookies to the domain that sent the HTTP request. Avaya Aura® Device Services does not send cookies to third-party domains. It also does not send cookies for cross-origin requests.

  Avaya Aura® Device Services uses this values after a fresh installation of Release 8.0.2.

• Lax: Avaya Aura® Device Services sends cookies when performing top-level navigations, but does not send cookies for cross-origin requests.

  Avaya Aura® Device Services uses this value after upgrading to Release 8.0.2.

• None: Avaya Aura® Device Services sends cookies in response to all requests, including cross-origin requests.

You can set the SameSite attribute for the following interface levels.

• Service interface, which is used for REST API and Utility Server cookies.

• Administrator interface, which is used for Avaya Aura® Device Services and Utility Server administration portal cookies.

Avaya Aura® Device Services retains the configured values after an upgrade.