v1.5.0

• Default session cookie SameSite to Lax (previously unset). Improves protection against cross-site cookie sending while keeping typical first-visit flows working; use config.samesite = nil to omit the attribute, or HTTP::Cookie::SameSite::Strict for a stricter policy. Thanks @past3l 🙏