Speaking of token security control...

The token security control feature is intended to prevent Cross-Site Request Spoofing (CSRF) attacks from occurring. TOTVS Identity can generate tokens with SameSite Lax or Strict. Lax  makes tokens only usable by first-level GETs by other URLs, while Strict  prevents any interaction of other URLs with the token.

Configure token security control

01. Click the Settings icon in the top right corner and select Security. 

02. Access the feature Token Security Control.

03. Choose the option you want.

The token security control options in Identity are: NONE, LAX, or STRICT. By default, no control is performed (NONE).

When the setting is STRICT, the browser will not send the cookie on any cross-site request under any circumstances. When it is LAX, it will only not send the cookie on insecure requests (those that use the POST method, for example), but will send the cookie on other cross-site requests.

ATTENTION!
If you use the Analytics widget of the TOTVS Fluig Platform, the Token Security Control should not be enabled.