diff --git a/ChangeLog b/ChangeLog
index 2b4e07ab..700c2265 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,7 @@
 - use only the User-Agent header as input for the state browser fingerprinting by default (no X-Forwarded-For)
   as cloud environments increasingly use dynamic proxy IPs in front
 - use PKCE S256 by default; disable by configuring "OIDCPKCEMethod none"
+- use SameSite cookies Strict by default; disable by configuring "OIDCCookieSameSite Off"
  
 10/30/2023
 - do not apply logout_on_error and authenticate_on_error when a parallel refresh token request is detected
diff --git a/auth_openidc.conf b/auth_openidc.conf
index 9738e1f3..4398d696 100644
--- a/auth_openidc.conf
+++ b/auth_openidc.conf
@@ -533,7 +533,7 @@
 # conditionally overridden using an environment variable in the Apache config as in:
 #   SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
 #
-# When not defined the default is Off.
+# When not defined the default is On.
 #OIDCCookieSameSite [On|Off]
 
 # Specify the names of cookies to pickup from the browser and send along on backchannel
diff --git a/src/config.c b/src/config.c
index 568ccb76..5cadc979 100644
--- a/src/config.c
+++ b/src/config.c
@@ -119,7 +119,7 @@
 /* set httponly flag on cookies */
 #define OIDC_DEFAULT_COOKIE_HTTPONLY 1
 /* set Same-Site flag on cookies */
-#define OIDC_DEFAULT_COOKIE_SAME_SITE 0
+#define OIDC_DEFAULT_COOKIE_SAME_SITE 1
 /* default cookie path */
 #define OIDC_DEFAULT_COOKIE_PATH "/"
 /* default OAuth 2.0 introspection token parameter name */