Having HTTPOnly and Secure in HTTP response header can help to protect your web applications from cross-site scripting and session manipulation attacks. There are two ways to configure HTTPOnly Secure Cookie Attribute in Nginx.
By using proxy_cookie_path
Add the following directives to ssl.conf or default.conf
|
1 |
proxy_cookie_path / "/; HTTPOnly; Secure"; |
Restart the Nginx to see the results.
By using “nginx_cookie_flag_module” Module
A Nginx module called nginx_cookie_flag by Anton Saraykin let you quickly set cookie flag as HTTPOnly and Secure in Set-Cookie HTTP response header.
To implement Secure Cookie by this way you need to build Nginx from the source code by adding the module.
Add this flag to your configure directives:
|
1 |
--add-module=/path/to/nginx_cookie_flag_module |
Once Nginx is built with the above module, you can add the following line either in location or server directive in respective configuration file
|
1 |
set_cookie_flag HttpOnly secure; |
Restart Nginx to verify the results.
Verify HTTPOnly Secure Cookie
To verify that changes have been applied you can use “Developer Tools” in Chrome or Firefox to examine the request headers.
