In nginx reverse proxy, how to set the secure flag for cookies?

nginx reverse-proxy

I'm using nginx as a reverse proxy to serve a https-only site. So I want the cookies for this site flagged as secure. But the backend server is an http one so it won't set the secure flag to its cookies. How can I modify the Set-Cookie header in response to add a secure flag?


You might be able to get your nginx proxy modify the cookies created by the backend and set the secure flag - for inspiration see How to rewrite the domain part of Set-Cookie in a nginx reverse proxy?.

However I'd imagine that getting whatever is creating the cookie on the backend to set the secure flag is going to be a better solution. How you do that is another story (or question :).


I use the following nginx config code: 

# make cookie secure (case sensitive)
proxy_cookie_domain ~(?P<secure_domain>([-0-9a-z]+\.)?[-0-9a-z]+\.[a-z]+)$ "$secure_domain; secure";

Instead of the regex to make this dynamical you can of course use the FQDN.


This help me:

proxy_cookie_path / "/; secure";

See http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path

Related

How do a I edit .conf file for a postgres AWS RDS?
CannotPullContainerError on AWS ECS
Enable blowfish-based hash support for crypt
Documenting an outage for a post-mortem review
ulimit for windows
WEP/WPA/WPA2 and wifi sniffing
How to detect in PHP, if it is running on Apache, Nginx or some other webserver? [closed]
Any logs of if/when "at" jobs were executed? [duplicate]
How do you delete a counter in graphite whisper?
How do I specify subjectAltName in the openssl cli?
Windows 2012 R2 start button not working over RDP
Avoiding swap on ElastiCache Redis