menu

Questions & Answers

Nginx: secure and httponly cookies

Any ideas on how to do this in Nginx ?

I've tried using

proxy_cookie_path / "/; HTTPOnly; Secure";

But it is not working, tried creating modules for https://github.com/AirisX/nginx_cookie_flag_module

But I get an error :

2018/11/08 19:13:59 [emerg] 20894#20894: module "/etc/nginx/modules/ngx_http_cookie_flag_filter_module.so" is not binary compatible in /etc/nginx/nginx.conf:4

Any suggestions ?

Answers(3) :

It's documented here. From the article:

A Nginx module called nginx_cookie_flag by Anton Saraykin let you quickly set cookie flag as HTTPOnly and Secure in Set-Cookie HTTP response header.

One thing you got to keep in mind that you need to build Nginx from the source code by adding the module.

Ex:

--add-module=/path/to/nginx_cookie_flag_module

Once Nginx is built with the above module, you can add the following line either in location or server directive in respective configuration file

set_cookie_flag HttpOnly secure;

Restart Nginx to verify the results

proxy_cookie_path should work without requiring cookie_flag module and rebuilding nginx with --add-module.

I was using nginx 1.10 version and proxy_cookie_path was not working. However, Once I upgraded nginx to 1.16.1 version, It is working fine without having need of additional module. Below are the steps.

yum install http://nginx.org/packages/rhel/6Server/x86_64/RPMS/nginx-1.16.1-1.el6.ngx.x86_64.rpm

make sure nginx version by running nginx -v and then add below in your nginx configuration under server

proxy_cookie_path / "/; HTTPOnly; Secure";

Restart nginx and check.

There's no need for an additional module or rewriting the cookie using proxy_cookie_path from Nginx version 1.19.3. You can just use the new configuration: proxy_cookie_flags.

For all cookie use:

proxy_cookie_flags ~ secure samesite=strict;

For some of the cookies you can use (or regex):

proxy_cookie_flags one httponly;

This will add the flags to your cookies according to the specified rules.

Check more in documentation: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_flags