From 68b5c06cfb4e75445ffbfdae38c5e80a4bb5c160 Mon Sep 17 00:00:00 2001
From: Giles Burdett <giles@cogniworks.co.uk>
Date: Fri, 8 Sep 2017 18:47:42 +0100
Subject: [PATCH] Document use of the sameSite attribute made available in v0.8

---
 README.md | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 2862c67..6e5a0ed 100644
--- a/README.md
+++ b/README.md
@@ -46,7 +46,12 @@ app.use(sessions({
     maxAge: 60000, // duration of the cookie in milliseconds, defaults to duration above
     ephemeral: false, // when true, cookie expires when the browser closes
     httpOnly: true, // when true, cookie is not accessible from javascript
-    secure: false // when true, cookie will only be sent over SSL. use key 'secureProxy' instead if you handle SSL not in your node process
+    secure: false, // when true, cookie will only be sent over SSL. use key 'secureProxy' instead if you handle SSL not in your node process
+    
+    // when 'strict' or true, cookie will not be sent on any cross-origin request
+    // when 'lax', cookie will be sent on all top-level navigations using safe HTTP methods: GET, HEAD, OPTIONS and TRACE
+    // when false (the default), the Same Site attribute is not set
+    sameSite: 'strict'
   }
 }));
 ```