Add samesite to cookies using Nginx as reverse proxy

nginx reverse-proxy cookies rewrite

With Nginx as reverse proxy, how do you add samesite=strict or samesite=lax to cookies?


With this code you can define all your application cookies as secure, httponly and/or samesite using proxy_cookie_path (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path)

location / {
        # your usual config ...
        # hack, set all cookies to secure, httponly and samesite (strict or lax)
        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    }

I had similar problem with web app which doesn't support samesite attribute. I've created similar workaround to @Beccari solution:

proxy_cookie_path ~^/(.+)$ "/$1; SameSite=none";

You have to put it in proper context, in my case in location. If you need set up none value like in my case, please remember that you have to add Secure attribute too to enable third party cookies for other websites.


I think the better way is to use proxy_cookie_flags from Nginx version 1.19.3

For all cookie use:

proxy_cookie_flags ~ secure samesite=strict;

For some of the cookies you can use (or regex):

proxy_cookie_flags one httponly;

Check more in documentation: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_flags

Related

differences of SSL certificates?
Is it better to have more small ram chips or fewer large ones?
How to allow non-root user to listen on privileged port?
Error 2020: Got packet bigger than 'max_allowed_packet' bytes when dumping table
Comparing owners and permissions of content of two folders?
How do I improve OpenVPN reliability over a high latency link?
How does the updated Shellshock vulnerability test for CVE-2014-7169 work?
How can I configure Postfix to ignore relayhost for some domains?
deleted cron tab file and need to recover it
How to extract Only the file name from the request uri
Will changing applicationHost.config cause IIS7 restart?
Exchange 2007 Client for Linux