Reputation: 738
Nginx: secure and httponly cookies
Any ideas on how to do this in Nginx ?
I've tried using
proxy_cookie_path / "/; HTTPOnly; Secure";
But it is not working, tried creating modules for https://github.com/AirisX/nginx_cookie_flag_module
But I get an error :
2018/11/08 19:13:59 [emerg] 20894#20894: module "/etc/nginx/modules/ngx_http_cookie_flag_filter_module.so" is not binary compatible in /etc/nginx/nginx.conf:4
Any suggestions ?
Upvotes: 1
Views: 7178
Answers (3)
Reputation: 189
There's no need for an additional module or rewriting the cookie using proxy_cookie_path from Nginx version 1.19.3. You can just use the new configuration: proxy_cookie_flags.
For all cookie use:
proxy_cookie_flags ~ secure samesite=strict;
For some of the cookies you can use (or regex):
proxy_cookie_flags one httponly;
This will add the flags to your cookies according to the specified rules.
Check more in documentation: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_flags
Upvotes: 2
Reputation: 922
proxy_cookie_path should work without requiring cookie_flag module and rebuilding nginx with --add-module.
I was using nginx 1.10 version and proxy_cookie_path was not working. However, Once I upgraded nginx to 1.16.1 version, It is working fine without having need of additional module. Below are the steps.
yum install http://nginx.org/packages/rhel/6Server/x86_64/RPMS/nginx-1.16.1-1.el6.ngx.x86_64.rpm
make sure nginx version by running nginx -v and then add below in your nginx configuration under server
proxy_cookie_path / "/; HTTPOnly; Secure";
Restart nginx and check.
Upvotes: 0
Reputation: 5375
It's documented here. From the article:
A Nginx module called nginx_cookie_flag by Anton Saraykin let you quickly set cookie flag as HTTPOnly and Secure in Set-Cookie HTTP response header.
One thing you got to keep in mind that you need to build Nginx from the source code by adding the module.
Ex:
--add-module=/path/to/nginx_cookie_flag_module
Once Nginx is built with the above module, you can add the following line either in location or server directive in respective configuration file
set_cookie_flag HttpOnly secure;
Restart Nginx to verify the results
Upvotes: 0
Related Questions
- How to force a secure cookie over HTTP with Rails
- Add secure and httpOnly flags on Response cookies using NGINX
- How to set secure flag in my cookie using ngx-cookie-service for Angular?
- nginx auth_request with cookie
- Nginx set_cookie_flag security hardening alternative for Wordpress
- Is it possible to set up nginx without cookies?
- How to set cookies HTTPOnly and secure attributes?
- Cookies don't work, apache to nginx
- Nginx proxy_pass cookies
- nginx / php / php-fpm | Problem with storing cookies