A cookie setting that controls whether the browser includes a cookie on requests coming from other websites. Setting it to Lax blocks most cross-site request forgery attacks without breaking normal links and navigation.