umbraco · kjac · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025
diff --git a/16/umbraco-cms/reference/configuration/securitysettings.md b/16/umbraco-cms/reference/configuration/securitysettings.md
@@ -44,6 +44,10 @@ A full configuration with all default values can be seen here:
       "AllowConcurrentLogins": false,
       "UserDefaultFailedLoginDurationInMilliseconds": 1000,
       "UserMinimumFailedLoginDurationInMilliseconds": 250,
+      "BackOfficeTokenCookie": {
+        "Enabled": false,
+        "SameSite": "Strict"
+      }
     }
   }
 }
@@ -153,3 +157,22 @@ Options are:
 ## Member password settings
 
 This section allows you to define the password rules for members. This section is identical to the one for users.
+
+## Backoffice token cookie settings
+
+As an added security feature, user authentication tokens can be returned in secure cookies from the server's authentication requests. This section lets you change the default settings for the generated token cookies.
+
+For backwards compatibility reasons, the feature is disabled by default.
+
+Recommendations:
+
+1. Enable this feature (see below).
+2. Retain the default values for the rest of the configuration.
+
+### Enabled
+
+When set to `true`, user authentication tokens are redacted from the server authentication responses and put into secure cookies instead.
+
+### Same site
+
+Sets the `SameSite` configuration for the token cookies. Valid values are "Unspecified", "None", "Lax", and "Strict" (default).