The express-sessioncookie.sameSite option is passed to the underlying cookie module, which generates a Set-Cookie HTTP header with SameSite=Strict appended to the end.

For instance, the header might look like:

Set-Cookie: SESSIONID=s%3Au1OmVSF6bQUXxMz4eIS4F8-32pK0rikc.f1y...bHX7QUGcH9ix5A; Path=/; HttpOnly; SameSite=Strict 

Notice SameSite=Strict at the end. The SameSite directive can be set to strict or lax - using true equates to setting it to strict.

The lax mode allows GET requests (which should be immutable) to be submitted cross-site - this may be important in widget or advertising situations (such as a Facebook like button).

If this isn't a requirement, strict is a better option, since it precludes exploitation of poor or accidental route handling where a GET request modifies server state.

When a (modern) browser observes the directive we essentially opt-in to an enforced same origin policy for cookies.