Comment by ksec
May be even better to link it to the PDF? [1]. From the Changelog I am also guessing most of these are not fixed in 8.0.2? I wonder if they will come with Rails 8.1 which is still not released.
[1] https://www.x41-dsec.de/static/reports/X41-Rails-Audit-Final...
You really dont want strict same site cookies for the most part. I get that its "more secure" but as soon as someone clicks a link from somewhere else, you open it without being logged in.