Questions & Answers

Nginx: secure and httponly cookies

Any ideas on how to do this in Nginx ?

I've tried using

proxy_cookie_path / "/; HTTPOnly; Secure";

But it is not working, tried creating modules for

But I get an error :

2018/11/08 19:13:59 [emerg] 20894#20894: module "/etc/nginx/modules/" is not binary compatible in /etc/nginx/nginx.conf:4

Any suggestions ?

Answers(3) :

It's documented here. From the article:

A Nginx module called nginx_cookie_flag by Anton Saraykin let you quickly set cookie flag as HTTPOnly and Secure in Set-Cookie HTTP response header.

One thing you got to keep in mind that you need to build Nginx from the source code by adding the module.



Once Nginx is built with the above module, you can add the following line either in location or server directive in respective configuration file

set_cookie_flag HttpOnly secure;

Restart Nginx to verify the results

proxy_cookie_path should work without requiring cookie_flag module and rebuilding nginx with --add-module.

I was using nginx 1.10 version and proxy_cookie_path was not working. However, Once I upgraded nginx to 1.16.1 version, It is working fine without having need of additional module. Below are the steps.

yum install

make sure nginx version by running nginx -v and then add below in your nginx configuration under server

proxy_cookie_path / "/; HTTPOnly; Secure";

Restart nginx and check.

There's no need for an additional module or rewriting the cookie using proxy_cookie_path from Nginx version 1.19.3. You can just use the new configuration: proxy_cookie_flags.

For all cookie use:

proxy_cookie_flags ~ secure samesite=strict;

For some of the cookies you can use (or regex):

proxy_cookie_flags one httponly;

This will add the flags to your cookies according to the specified rules.

Check more in documentation: