Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In Nginx and Security Last updated: September 6, 2022
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

One of you asked this.


I love the feedback! It gives me an idea of what to write.

Previously, I explained how to configure the Apache HTTP server with HTTPOnly and Secure flag, and in this article, I’ll talk about doing the same thing on Nginx web server.

Having HTTPOnly and Secure in HTTP response header can help to protect your web applications from cross-site scripting and session manipulation attacks.

There are multiple ways to get this configured.

  • Within application code by developers
  • Injecting headers from the network edge, F5
  • Configuring at web servers

There are two possible ways to achieve this in Nginx web server.

By using “add_header” directive

An easy way to set cookie flag as HTTPOnly and Secure in Set-Cookie HTTP response header. Take a backup of the necessary configuration file and add the following in nginx.conf under http block.

add_header Set-Cookie "Path=/; HttpOnly; Secure";

Restart Nginx to verify the results

By using proxy_cookie_path

Another alternative option is to add the below syntax in ssl.conf or default.conf

proxy_cookie_path / "/; HTTPOnly; Secure";

Restart the Nginx to see the results


If you are testing Intranet based sites, then you can use “Developer Tools” in Chrome to examine the request headers. However, for Internet-facing, you can use an online HTTP response header checker tool.

I hope this helps to secure & harden the Nginx web server.

  • Chandan Kumar
    As the founder of Geekflare, I’ve helped millions to excel in the digital realm. Passionate about technology, I’m on a mission to explore the world and amplify growth for professionals and businesses alike.
Thanks to our Sponsors
More great readings on Nginx
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder