Is it possible to set nginx Response cookies to http only without needing to rebuild?

Question

The intended production environment will be utilising an AWS EKS nginx ingress controller so it would be preferable to not require a bespoke build of nginx.

For local development the docker image https://hub.docker.com/r/lautre/nginx-cookie-flag has been installed, which should have the cookie-flag module pre-installed. Both methods suggested in the example at https://geekflare.com/httponly-secure-cookie-nginx/ have been tried, but don't seem to be working:

http { 
 ...
 proxy_cookie_path / "/; HTTPOnly;   Secure";
 ...
}

And

server {
 ...
 proxy_cookie_path / "/; HTTPOnly;   Secure";
 ...
}

Specifically the token "atlassian.xsrf.token" is never signed as HttpOnly, this is being generated from a jira plugin within the web app https://confluence.atlassian.com/adminjiracloud/using-the-issue-collector-776636529.html

Questions:

Most examples found are the same as that above, is the external module the only solution available?
Does the nginx plus version have this module baked in, allowing to reference by default?

score 0 · Answer 1 · answered Apr 07 '20 at 19:28

0

You can also solve this using the add_header directive and manually setting the cookie

Example

location / {
    add_header Set-Cookie 'MyCookie=SomeValue; Path=/; HttpOnly; Secure';
    proxy_pass http://1.2.3.4;
}

answered Apr 07 '20 at 19:28

Robert Teller

21
1

thank you for your suggestion, unfortunately, this did not solve my particular issue. It might be due to the source of the cookie, – djamey May 07 '20 at 13:48

score 0 · Answer 2 · answered Jan 21 '23 at 04:57

0

No need to compile nginx, just use:

proxy_cookie_flags ~ secure httponly;

You might need to update your version of nginx, as this wasn't yet available as of nginx 1.12. I think it was added in 1.19.

answered Jan 21 '23 at 04:57

Velizar Hristov

662
2
10
23

Is it possible to set nginx Response cookies to http only without needing to rebuild?

2 Answers2