umbraco · kjac · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025
diff --git a/17/umbraco-cms/reference/configuration/securitysettings.md b/17/umbraco-cms/reference/configuration/securitysettings.md
@@ -44,6 +44,9 @@ A full configuration with all default values can be seen here:
       "AllowConcurrentLogins": false,
       "UserDefaultFailedLoginDurationInMilliseconds": 1000,
       "UserMinimumFailedLoginDurationInMilliseconds": 250,
+      "BackOfficeTokenCookie": {
+        "SameSite": "Strict"
+      }
     }
   }
 }
@@ -153,3 +156,13 @@ Options are:
 ## Member password settings
 
 This section allows you to define the password rules for members. This section is identical to the one for users.
+
+## Backoffice token cookie settings
+
+User authentication tokens are redacted from the server's authentication responses and put into secure cookies instead. This section lets you change the default settings for the generated token cookies.
+
+It is not recommended to change these settings, as it may result in lesser security for the backoffice users.
+
+### Same site
+
+Sets the `SameSite` configuration for the token cookies. Valid values are "Unspecified", "None", "Lax", and "Strict" (default).