How to Implement HTTPOnly and Secure Cookie in Nginx?

Netsparker Web Application Security Scanner - the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

One of you asked this.

I love feedback! It gives me an idea of what to write.

Previously, I explained how to configure Apache HTTP server with HTTPOnly and Secure flag and in this article, I’ll talk about doing the same thing on Nginx web server.

Having HTTPOnly and Secure in HTTP response header can help to protect your web applications from cross-site scripting and session manipulation attacks.

There are multiple ways to get this configured.

Within application code by developers
Injecting headers from network edge, F5
Configuring at web servers

There are two possible ways to achieve this in Nginx web server.

By using “nginx_cookie_flag_module” Module

A Nginx module called nginx_cookie_flag by Anton Saraykin let you quickly set cookie flag as HTTPOnly and Secure in Set-Cookie HTTP response header.

One thing you got to keep in mind that you need to build Nginx from the source code by adding the module.

Ex:

--add-module=/path/to/nginx_cookie_flag_module

Once Nginx is built with the above module, you can add the following line either in location or server directive in respective configuration file

set_cookie_flag HttpOnly secure;

Restart Nginx to verify the results

By using proxy_cookie_path

Another alternative option is to add the below syntax in ssl.conf or default.conf

proxy_cookie_path / "/; HTTPOnly; Secure";

Restart the Nginx to see the results

Verification

If you are testing Intranet based sites, then you can use “Developer Tools” in Chrome to examine the request headers. However, for Internet-facing, you can use online HTTP response header checker tool.

I hope this helps to secure & harden Nginx web server.

Power Your Business

Netsparker

Netsparker uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities with proof of exploit, thus making it possible to scan thousands of web applications and generate actionable results within just hours.

Try Netsparker

Kinsta

Probably the best managed WordPress cloud platform to host small to enterprise sites. Kinsta leverages Google's low latency network infrastructure to deliver content faster. Free SSL, CDN, backup and a lot more with outstanding support. You'll love it.

Try Kinsta

Sucuri

A global CDN and cloud-based web application firewall for your website to supercharge the performance and secure from online threats. SUCURI WAF protects from OWASP top 10 vulnerabilities, brute force, DDoS, malware, and more.

Try Sucuri

How to Implement HTTPOnly and Secure Cookie in Nginx?

By using “nginx_cookie_flag_module” Module

By using proxy_cookie_path

Verification

More Great Reading on Geekflare

Network Security – Basics and 12 Learning Resources

What is DNS Cache Poisoning – How it Works and Prevention Measures?

7 Best Practices to Secure a Static Website

How Artificial Intelligence will Affect Cybersecurity?

10 Best ASN Online Lookups, Scripts, and API

6 Business Email Security Solutions to Protect from Spam and Phishing Attacks

Power Your Business

Choosing the right product and service is essential to run an online business. Here are some of the tools and services to help your business grow.

Netsparker

Kinsta

Sucuri