How to set Secure attribute to Set-cookie in Nginx through nginx.conf file
Solution 1
Remember to do add SameSite=none
as well:
location /foo {
proxy_pass http://localhost:4000;
proxy_cookie_path /foo "/; SameSite=None; HTTPOnly; Secure";
}
Sources:
Solution 2
I had a look at this article https://geekflare.com/httponly-secure-cookie-nginx/
In order to use set_cookie_flag HttpOnly Secure;
you need to build nginx from sources and while adding the path of the secure cookie additional module --add-module=/path/to/nginx_cookie_flag_module
.
If you don't want to build nginx from sources, you can add only proxy_cookie_path / "/; HTTPOnly; Secure";
to your configuration.
Following the article, it should be enough.
Solution 3
Another alternative option is to:
-
Go to this directory: "/etc/nginx/conf.d".
-
Create an empty text file by the name of ssl.conf (As you see There is example_ssl.conf there).
-
Add the below syntax in ssl.conf (or default.conf):
server { proxy_cookie_path / "/; HTTPOnly; Secure";}
note that the whole path "/" will be replaced. For example the directive "proxy_cookie_path /two/ /;" will rewrite “path=/two/one/uri/” to “path=/one/uri/”.
-
Open /etc/nginx/nginx.conf and add following command:
include /etc/nginx/conf.d/ssl.conf
-
Restart the Nginx to see the results.
Solution 4
The flag is only supported by nginx Plus https://www.nginx.com/products/nginx/modules/cookie-flag/
RamRajVasavi
Updated on November 12, 2020Comments
-
RamRajVasavi over 3 years
I am new to Nginx server. recently started working nginx project. I have task to set security headers through nginx.conf file. I set some header correctly but not able to set for Set-cookie. My requirement is, in response header Set-Cookie should have Secure and HTTPOnly attributes. Added below two directives in nginx.conf file
set_cookie_flag HttpOnly Secure; proxy_cookie_path / "/; HTTPOnly; Secure";
Tried with each one and both also, but only HttpOnly coming. Please look into below for my conf file snippet
server { listen 80; server_tokens off; server_name http://{{ getenv "PROXY_URL" }}; set_cookie_flag HttpOnly Secure; proxy_cookie_path / "/; HTTPOnly; Secure"; include routes; }
Please help me, what I need to add here or anything I missed.
Thanks in Advance.
-
arash yousefi over 3 yearsThanks, is it possible to use just httponly option without secure ? because I want to test it without https ?
-
Suciu Eus almost 3 yearsWhy would you add SameSite=none? Do you want the cookie sent in a third-party context? I think Lax or Strict are better options.
-
Raja about 2 yearsI use an Angular front end running in its own server on the local machine. That makes it a CORS situation. The cookie is blocked by the browser unless SameSite=none and Secure flags are set.
-
Raja about 2 yearsFortunately, it not necessary now to build Nginx from source to set this flag. The proxy_cookie_path idea suggested by @geoyws worked well for me. In fact, I had set the flag already in my Flask application, but somehow Nginx seems to have removed the flag. I had to add it back through nginx.conf file