12

I am new to Nginx server. recently started working nginx project. I have task to set security headers through nginx.conf file. I set some header correctly but not able to set for Set-cookie. My requirement is, in response header Set-Cookie should have Secure and HTTPOnly attributes. Added below two directives in nginx.conf file

set_cookie_flag HttpOnly Secure;
proxy_cookie_path / "/; HTTPOnly; Secure";

Tried with each one and both also, but only HttpOnly coming. Please look into below for my conf file snippet

server {
    listen       80;
    server_tokens off;
    server_name  http://{{ getenv "PROXY_URL" }};
    set_cookie_flag HttpOnly Secure;
    proxy_cookie_path / "/; HTTPOnly; Secure"; 
    include routes;     
}

Please help me, what I need to add here or anything I missed.

Thanks in Advance.

Paulo Boaventura
  • 1,365
  • 1
  • 9
  • 29
RamRajVasavi
  • 896
  • 4
  • 12
  • 28
  • proxy_cookie_path is supposed to be for manipulating cookie paths, not for adding cookie flags. Abusing proxy_cookie_path that way is dangerous, an can lead to difficult to track bugs. For example, if the proxified server returns a cookie path of "/mypath", this nginx config will convert it into "/; HttpOnly; Securemypath", which is cleary invalid. – Philippe Plantier Oct 26 '22 at 15:48

4 Answers4

11

Remember to add SameSite=none as well:

location /foo {
    proxy_pass http://localhost:4000;
    proxy_cookie_path /foo "/; SameSite=None; HTTPOnly; Secure";
}

Sources:

  1. https://web.dev/samesite-cookies-explained/
  2. https://stackoverflow.com/a/56514484/1561922
geoyws
  • 3,326
  • 3
  • 35
  • 47
  • 1
    Why would you add SameSite=none? Do you want the cookie sent in a third-party context? I think Lax or Strict are better options. – Suciu Eus Jul 28 '21 at 08:46
  • I use an Angular front end running in its own server on the local machine. That makes it a CORS situation. The cookie is blocked by the browser unless SameSite=none and Secure flags are set. – Raja Jun 01 '22 at 15:33
  • 1
    On newer nginx (1.19 or later, I think): `proxy_cookie_flags ~ secure;` – Velizar Hristov Jan 21 '23 at 04:59
5

I had a look at this article https://geekflare.com/httponly-secure-cookie-nginx/

In order to use set_cookie_flag HttpOnly Secure; you need to build nginx from sources and while adding the path of the secure cookie additional module --add-module=/path/to/nginx_cookie_flag_module.

If you don't want to build nginx from sources, you can add only proxy_cookie_path / "/; HTTPOnly; Secure"; to your configuration.

Following the article, it should be enough.

Michael A.
  • 2,288
  • 1
  • 18
  • 21
  • Fortunately, it not necessary now to build Nginx from source to set this flag. The proxy_cookie_path idea suggested by @geoyws worked well for me. In fact, I had set the flag already in my Flask application, but somehow Nginx seems to have removed the flag. I had to add it back through nginx.conf file – Raja Jun 01 '22 at 17:24
5

Another alternative option is to:

  1. Go to this directory: "/etc/nginx/conf.d".

  2. Create an empty text file by the name of ssl.conf (As you see There is example_ssl.conf there).

  3. Add the below syntax in ssl.conf (or default.conf):

    server { proxy_cookie_path / "/; HTTPOnly; Secure";}

    note that the whole path "/" will be replaced. For example the directive "proxy_cookie_path /two/ /;" will rewrite “path=/two/one/uri/” to “path=/one/uri/”.

  4. Open /etc/nginx/nginx.conf and add following command:

    include /etc/nginx/conf.d/ssl.conf

  5. Restart the Nginx to see the results.

Community
  • 1
  • 1
Amirhossein Farmad
  • 121
  • 1
  • 5
1

The flag is only supported by nginx Plus https://www.nginx.com/products/nginx/modules/cookie-flag/

user1778602
  • 550
  • 5
  • 9
  • 1
    It depends on how nginx was built from the open source. Use 'nginx -V' to check the flags for '--add-module' for nginx_cookie_flag_module'. I need to add this to my build. You don't have to buy NGINX Plus -- just build the open source. – justdan23 Dec 21 '22 at 16:00