Nginx HTTPOnly and Secure Cookie

Having HTTPOnly and Secure in HTTP response header can help to protect your web applications from cross-site scripting and session manipulation attacks. There are two ways to configure HTTPOnly Secure Cookie Attribute in Nginx.

By using proxy_cookie_path

Add the following directives to  ssl.conf or default.conf

Restart the Nginx to see the results.

By using “nginx_cookie_flag_module” Module

A Nginx module called nginx_cookie_flag by Anton Saraykin let you quickly set cookie flag as HTTPOnly and Secure in Set-Cookie HTTP response header.

To implement Secure Cookie by this way you need to build Nginx from the source code by adding the module.

Add this flag to your configure directives:

Once Nginx is built with the above module, you can add the following line either in location or server directive in respective configuration file

Restart Nginx to verify the results.

Verify HTTPOnly Secure Cookie

To verify that changes have been applied you can use “Developer Tools” in Chrome or Firefox to examine the request headers.

Want me to do this for you? Drop me a line: itgalaxyzzz {at} gmail [point] com