0

I'm trying to host sites that use things like WordPress, using nginx as a reverse proxy for PHP-FPM. Often these systems will set all kinds of annoying cookies that are unnecessary and/or the site does not have permission to set.

So I'm looking to strip all cookies except for those that appear in an allow list. In WordPress for example, I might want to allow only the admin session cookie which is called wordpress_sec_*.

I've found the "headers more" extension which has some nice things like:

more_clear_headers 'Set-Cookie';

which will delete all cookies, though that's obviously excessive. I can probably delete specific cookies, but that's a whack-a-mole as plugins keep setting cookies they don't really need.

Any bright ideas?

Synchro
  • 3,148
  • 6
  • 27
  • 38
  • Not sure nginx have this option, but pretty sure that a tool like varnish can solve this problem for you (and probably haproxy as well). – Rabin Mar 03 '21 at 17:23
  • Indeed, some other tool would be better. That said, every cookie in WordPress should be GDPR compliant already. The same can't be said of every plugin or theme though. – Michael Hampton Mar 03 '21 at 19:40
  • One thought I had is that it’s probably not too complicated to do using nginx’s built in lua support to script it. – Synchro Mar 03 '21 at 19:56

0 Answers0