Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi, we observed that when using kratos (in Ory Cloud), the set-cookie header on the `GET /self-service/login/browser` endpoint contains `SameSite=Lax` which causes our browsers to not set this cookie. This is ofcourse problematic, since then submitting the loginflow later causes a CSRF error. I read that when running kratos in `--dev` mode, this will occur, but we are using Ory Cloud (Ory Network?) and I cannot find this option in the console. How can we fix this?