1. headers http header: set-cookie: `samesite`: defaults to `lax`