diff --git a/CHANGELOG.md b/CHANGELOG.md
index 57acb26..2bc6949 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Token Handler Assistant Changelog
 
+## [1.1.0-rc.3] - 2024-07-03
+
+- Send `token-handler-version` header in all requests
+
 ## [1.1.0-rc.2] - 2024-06-24
 
 - Add forgotten `RefreshResponse` to exports.
diff --git a/README.md b/README.md
index 373b067..2c09c53 100644
--- a/README.md
+++ b/README.md
@@ -91,4 +91,12 @@ on every load of the SPA. This function makes a decision based the query string
      );
    }
    ```
-   Note: This is just a simplified example. The timeout has to be cleared properly (before every refresh, or before logout).
\ No newline at end of file
+   Note: This is just a simplified example. The timeout has to be cleared properly (before every refresh, or before logout).
+
+## Cookie Security
+
+- `SameSite=Strict` cookies are sent to APIs, which cannot be sent from malicious sites
+- to ensure that only precise whitelisted origins can send cookies to APIs, a `token-handler-version: 1` header is
+  sent by this library on every request to the OAuth Agent. In cross-origin deployments this ensures that a CORS pre-flight
+  request authorizes access. SPA developers may be required to send this header to token handler proxies as well (refer 
+  to the token handler proxy documentation for details). 
\ No newline at end of file
diff --git a/package-lock.json b/package-lock.json
index 492e7c8..da500e2 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@curity/token-handler-js-assistant",
-  "version": "1.1.0-rc.2",
+  "version": "1.1.0-rc.3",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@curity/token-handler-js-assistant",
-      "version": "1.1.0-rc.2",
+      "version": "1.1.0-rc.3",
       "license": "Apache-2.0",
       "devDependencies": {
         "@types/jest": "^29.5.12",
diff --git a/package.json b/package.json
index e8cef16..c05c683 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@curity/token-handler-js-assistant",
-  "version": "1.1.0-rc.2",
+  "version": "1.1.0-rc.3",
   "description": "Curity Token Handler JavaScript helper library",
   "main": "lib/token-handler-assistant-lib.js",
   "types": "lib/index.d.ts",
diff --git a/src/oauth-agent-client.ts b/src/oauth-agent-client.ts
index 906ed6b..f39d27c 100644
--- a/src/oauth-agent-client.ts
+++ b/src/oauth-agent-client.ts
@@ -171,7 +171,8 @@ export class OAuthAgentClient {
 
   private async fetch(method: string, path: string, content?: URLSearchParams): Promise<any> {
     const headers= {
-      accept: 'application/json'
+      accept: 'application/json',
+      'token-handler-version': '1'
     } as Record<string, string>
 
     if (path == 'login/start' || path == 'login/end') {