Add secure and httpOnly flags on Response cookies using NGINX

Question

I'm new to NGINX and is in need of guidance.

Is it possible to add secure and httponly flags on Response cookies?

Below is the code that I added to the nginx config file:

proxy_cookie_path / "/iwc; secure; HttpOnly";

However, the HTTP and secure columns of the target response cookie on chrome are still unchecked.

Thanks in advance!

Answer 1

I believe you already have the cookie set from backend. (add-header Set-Cookie - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie)

The better way is to use proxy_cookie_flags from Nginx version 1.19.3

For all cookies use:

proxy_cookie_flags ~ secure samesite=strict;

For some of the cookies you can use (or regex):

proxy_cookie_flags one httponly;

Check more in documentation: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_flags

Answer 2

proxy_cookie_path setting in article https://geekflare.com/httponly-secure-cookie-nginx/ is misleading. it does NOT work for me.

actually, i just modify nginx.conf as below:

add_header Set-Cookie "user=$remote_user; Path=/; HttpOnly; Secure"

then, it works.

Answer 3

Please go through this link https://geekflare.com/httponly-secure-cookie-nginx/

need to add this module to your nginx and rebuild nginx. How to add third party module to nginx, please follow below link https://www.nginx.com/blog/compiling-dynamic-modules-nginx-plus/

And add above proxy_cookie_path with set_cookie_flag HttpOnly Secure; in your nginx.conf file then it will work.