• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • One of you asked this.

    I love the feedback! It gives me an idea of what to write.

    Previously, I explained how to configure the Apache HTTP server with HTTPOnly and Secure flag, and in this article, I’ll talk about doing the same thing on Nginx web server.

    Having HTTPOnly and Secure in HTTP response header can help to protect your web applications from cross-site scripting and session manipulation attacks.

    There are multiple ways to get this configured.

    • Within application code by developers
    • Injecting headers from the network edge, F5
    • Configuring at web servers

    There are two possible ways to achieve this in Nginx web server.

    By using “nginx_cookie_flag_module” Module

    An Nginx module called nginx_cookie_flag by Anton Saraykin let you quickly set cookie flag as HTTPOnly and Secure in Set-Cookie HTTP response header.

    One thing you got to keep in mind that you need to build Nginx from the source code by adding the module.

    Ex:

    --add-module=/path/to/nginx_cookie_flag_module

    Once Nginx is built with the above module, you can add the following line either in location or server directive in the respective configuration file

    set_cookie_flag HttpOnly secure;

    Restart Nginx to verify the results

    By using proxy_cookie_path

    Another alternative option is to add the below syntax in ssl.conf or default.conf

    proxy_cookie_path / "/; HTTPOnly; Secure";

    Restart the Nginx to see the results

    Verification

    If you are testing Intranet based sites, then you can use “Developer Tools” in Chrome to examine the request headers. However, for Internet-facing, you can use an online HTTP response header checker tool.

    I hope this helps to secure & harden the Nginx web server.