* samesite at least lax * cookies http only * secure cookies (I'd rather do this on the proxy anyway)