How to set Secure attribute to Set-cookie in Nginx through nginx.conf file

Asked 20/2, 2018 at 8:28 Answered 4/8, 2020 at 7:58

nginx session-cookies nginx-reverse-proxy nginx-config setcookie

I am new to Nginx server. recently started working nginx project. I have task to set security headers through nginx.conf file. I set some header correctly but not able to set for Set-cookie. My requirement is, in response header Set-Cookie should have Secure and HTTPOnly attributes. Added below two directives in nginx.conf file

set_cookie_flag HttpOnly Secure;
proxy_cookie_path / "/; HTTPOnly; Secure";

Tried with each one and both also, but only HttpOnly coming. Please look into below for my conf file snippet

server {
    listen       80;
    server_tokens off;
    server_name  http://{{ getenv "PROXY_URL" }};
    set_cookie_flag HttpOnly Secure;
    proxy_cookie_path / "/; HTTPOnly; Secure"; 
    include routes;     
}

Please help me, what I need to add here or anything I missed.

Thanks in Advance.

Gisarme answered 20/2, 2018 at 8:28 Comment(1)

proxy_cookie_path is supposed to be for manipulating cookie paths, not for adding cookie flags. Abusing proxy_cookie_path that way is dangerous, an can lead to difficult to track bugs. For example, if the proxified server returns a cookie path of "/mypath", this nginx config will convert it into "/; HttpOnly; Securemypath", which is cleary invalid. – Burd 26/10, 2022 at 15:48

Remember to add SameSite=none as well:

location /foo {
    proxy_pass http://localhost:4000;
    proxy_cookie_path /foo "/; SameSite=None; HTTPOnly; Secure";
}

Sources:

Ascospore answered 4/8, 2020 at 7:58 Comment(3)

Why would you add SameSite=none? Do you want the cookie sent in a third-party context? I think Lax or Strict are better options. – Bounteous 28/7, 2021 at 8:46

I use an Angular front end running in its own server on the local machine. That makes it a CORS situation. The cookie is blocked by the browser unless SameSite=none and Secure flags are set. – Statesman 1/6, 2022 at 15:33

On newer nginx (1.19 or later, I think): proxy_cookie_flags ~ secure; – Pewit 21/1, 2023 at 4:59

I had a look at this article https://geekflare.com/httponly-secure-cookie-nginx/

In order to use set_cookie_flag HttpOnly Secure; you need to build nginx from sources and while adding the path of the secure cookie additional module --add-module=/path/to/nginx_cookie_flag_module.

If you don't want to build nginx from sources, you can add only proxy_cookie_path / "/; HTTPOnly; Secure"; to your configuration.

Following the article, it should be enough.

Tonguelashing answered 4/2, 2019 at 9:6 Comment(1)

Fortunately, it not necessary now to build Nginx from source to set this flag. The proxy_cookie_path idea suggested by @Ascospore worked well for me. In fact, I had set the flag already in my Flask application, but somehow Nginx seems to have removed the flag. I had to add it back through nginx.conf file – Statesman 1/6, 2022 at 17:24

Another alternative option is to:

Go to this directory: "/etc/nginx/conf.d".
Create an empty text file by the name of ssl.conf (As you see There is example_ssl.conf there).
Add the below syntax in ssl.conf (or default.conf):

server { proxy_cookie_path / "/; HTTPOnly; Secure";}

note that the whole path "/" will be replaced. For example the directive "proxy_cookie_path /two/ /;" will rewrite “path=/two/one/uri/” to “path=/one/uri/”.
Open /etc/nginx/nginx.conf and add following command:

include /etc/nginx/conf.d/ssl.conf
Restart the Nginx to see the results.

Alimony answered 9/6, 2019 at 12:12 Comment(1)

Thanks, is it possible to use just httponly option without secure ? because I want to test it without https ? – Holey 24/2, 2021 at 8:38

The flag is only supported by nginx Plus https://www.nginx.com/products/nginx/modules/cookie-flag/

Floriaflorian answered 4/10, 2018 at 17:0 Comment(2)

It depends on how nginx was built from the open source. Use 'nginx -V' to check the flags for '--add-module' for nginx_cookie_flag_module'. I need to add this to my build. You don't have to buy NGINX Plus -- just build the open source. – Verdugo 21/12, 2022 at 16:0

It's included also in nginx 1.19.3 (not plus): nginx.org/en/docs/http/… proxy_cookie_flags ~ secure; Fixed this for me. – Unthinkable 11/1 at 10:39

Recommended topics

Hot tags