It is recommended by Mozilla infosec and owasp to add SameSite flag to CSRF prevention cookie, but this option is not exported and cannot be set by the caller

1. https://infosec.mozilla.org/guidelines/web_security#csrf-prevention
2. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Samesite_Cookie_Attribute

I've created a pull request with relevant changes. SameSite was added to net/http package on Go 1.11 release, so it means that if using an older Go version it might break package

This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.