diff --git a/config/settings.yml b/config/settings.yml
index e9d4787ed..449757de4 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -5,7 +5,7 @@
 
 static-dir:     "_env:STATIC_DIR:static"
 well-known-dir: "_env:WELL_KNOWN_DIR:well-known"
-well-known-link-file: "html_code.html"
+well-known-link-file: html_code.html
 
 webpack-manifest: "_env:WEBPACK_MANIFEST:config/webpack.yml"
 host:           "_env:HOST:*4" # any IPv4 host
@@ -70,7 +70,7 @@ allow-deprecated:  "_env:ALLOW_DEPRECATED:false"
 server-session-acid-fallback: "_env:SERVER_SESSION_ACID_FALLBACK:false"
 
 auth-pw-hash:
-  algorithm: "pbkdf2"
+  algorithm: pbkdf2
   strength: 14
 
 # Optional values with the following production defaults.
@@ -111,7 +111,7 @@ smtp:
   port:    "_env:SMTPPORT:25"
   ssl:     "_env:SMTPSSL:starttls"
   auth:
-    type:  "login"
+    type:  login
     user:  "_env:SMTPUSER:"
     pass:  "_env:SMTPPASS:"
   pool:
@@ -137,7 +137,7 @@ session-memcached:
   expiration: "_env:SESSION_MEMCACHED_EXPIRATION:28807"
 
 server-sessions:
-  cookie-name: "_SESSION"
+  cookie-name: _SESSION
   idle-timeout: 28807
   absolute-timeout: 604801
   timeout-resolution: 601
@@ -146,6 +146,7 @@ server-sessions:
   secure-cookies: "_env:SERVER_SESSION_COOKIES_SECURE:true"
 session-token-expiration: 28807
 session-token-encoding: HS256
+session-samesite: strict
 
 user-defaults:
   max-favourites:      12
diff --git a/config/test-settings.yml b/config/test-settings.yml
index a8bf9ded8..7ba4552eb 100644
--- a/config/test-settings.yml
+++ b/config/test-settings.yml
@@ -4,8 +4,8 @@ database:
 log-settings:
   detailed:      true
   all:           true
-  minimum-level: "debug"
-  destination:   "test.log"
+  minimum-level: debug
+  destination:   test.log
 
 auth-dummy-login: true
 server-session-acid-fallback: true
diff --git a/src/Foundation.hs b/src/Foundation.hs
index 41fa7917b..66568e795 100644
--- a/src/Foundation.hs
+++ b/src/Foundation.hs
@@ -1469,7 +1469,7 @@ instance Yesod UniWorX where
             Nothing -> getApprootText guessApproot app req
             Just root -> root
 
-    makeSessionBackend app@UniWorX{ appSettings' = AppSettings{..}, ..} = case appSessionStore of
+    makeSessionBackend app@UniWorX{ appSettings' = AppSettings{..}, ..} = sameSite $ case appSessionStore of
         SessionStorageMemcachedSql sqlStore
           -> mkBackend =<< stateSettings <$> ServerSession.createState sqlStore
         SessionStorageAcid acidStore
@@ -1494,6 +1494,13 @@ instance Yesod UniWorX where
         mkBackend = JwtSession.backend cfg (JwtSession.siteApproot app)
         stateSettings :: forall sto. ServerSession.State sto -> ServerSession.State sto
         stateSettings = applyServerSessionSettings appServerSessionConfig
+        sameSite
+          | Just SameSiteStrict <- appSessionSameSite
+          = strictSameSiteSessions
+          | Just SameSiteLax <- appSessionSameSite
+          = laxSameSiteSessions
+          | otherwise
+          = id
 
     maximumContentLength app _ = app ^. _appMaximumContentLength
 
diff --git a/src/Settings.hs b/src/Settings.hs
index db800ddd9..88c7c8e8d 100644
--- a/src/Settings.hs
+++ b/src/Settings.hs
@@ -98,6 +98,7 @@ data AppSettings = AppSettings
     , appSessionMemcachedConf   :: Maybe MemcachedConf
     , appSessionTokenExpiration :: Maybe NominalDiffTime
     , appSessionTokenEncoding   :: JwtEncoding
+    , appSessionSameSite        :: Maybe SameSite
     
     , appMailFrom               :: Address
     , appMailObjectDomain       :: Text
@@ -158,6 +159,10 @@ data AppSettings = AppSettings
     , appRibbon                 :: Maybe Text
     } deriving Show
 
+data SameSite = SameSiteStrict | SameSiteLax
+  deriving stock (Eq, Ord, Read, Show, Enum, Bounded, Generic, Typeable)
+  deriving anyclass (Universe, Finite)
+
 newtype ServerSessionSettings
   = ServerSessionSettings { applyServerSessionSettings :: forall a. ServerSession.State a -> ServerSession.State a }
 
@@ -272,6 +277,9 @@ data SmtpAuthConf = SmtpAuthConf
   , smtpAuthPassword :: HaskellNet.Password
   } deriving (Show)
 
+nullaryPathPiece ''SameSite $ camelToPathPiece' 2
+pathPieceJSON ''SameSite
+
 deriveJSON defaultOptions
   { constructorTagModifier = camelToPathPiece' 2
   , fieldLabelModifier = camelToPathPiece' 2
@@ -491,6 +499,7 @@ instance FromJSON AppSettings where
         appServerSessionConfig    <- o .: "server-sessions"
         appSessionTokenExpiration <- o .:? "session-token-expiration"
         appSessionTokenEncoding   <- o .: "session-token-encoding"
+        appSessionSameSite        <- o .:? "session-samesite"
 
         return AppSettings{..}