In nginx reverse proxy, how to set the secure flag for cookies?
I'm using nginx as a reverse proxy to serve a https-only site. So I want the cookies for this site flagged as secure. But the backend server is an http one so it won't set the secure flag to its cookies. How can I modify the Set-Cookie header in response to add a secure flag?
You might be able to get your nginx proxy modify the cookies created by the backend and set the secure flag - for inspiration see How to rewrite the domain part of Set-Cookie in a nginx reverse proxy?.
However I'd imagine that getting whatever is creating the cookie on the backend to set the secure flag is going to be a better solution. How you do that is another story (or question :).
I use the following nginx config code:
# make cookie secure (case sensitive)
proxy_cookie_domain ~(?P<secure_domain>([-0-9a-z]+\.)?[-0-9a-z]+\.[a-z]+)$ "$secure_domain; secure";
Instead of the regex to make this dynamical you can of course use the FQDN.
This help me:
proxy_cookie_path / "/; secure";
See http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path