Additional menu

Geekflare

Technology Blog, Web Tools and Resources to Supercharge Site and Business

How to Implement HTTPOnly and Secure Cookie in Nginx?

Netsparker Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

by | | Nginx, Security

One of you asked this.

nginx secure flag

I love feedback! It gives me an idea of what to write.

Previously, I explained how to configure Apache HTTP server with HTTPOnly and Secure flag and in this article, I’ll talk about doing the same thing on Nginx web server.

Having HTTPOnly and Secure in HTTP response header can help to protect your web applications from cross-site scripting and session manipulation attacks.

There are multiple ways to get this configured.

  • Within application code by developers
  • Injecting headers from network edge, F5
  • Configuring at web servers

There are two possible ways to achieve this in Nginx web server.

By using “nginx_cookie_flag_module” Module

A Nginx module called nginx_cookie_flag by Anton Saraykin let you quickly set cookie flag as HTTPOnly and Secure in Set-Cookie HTTP response header.

One thing you got to keep in mind that you need to build Nginx from the source code by adding the module.

Ex:

--add-module=/path/to/nginx_cookie_flag_module

Once Nginx is built with the above module, you can add the following line either in location or server directive in respective configuration file

set_cookie_flag HttpOnly secure;

Restart Nginx to verify the results

By using proxy_cookie_path

Another alternative option is to add the below syntax in ssl.conf or default.conf

proxy_cookie_path / "/; HTTPOnly; Secure";

Restart the Nginx to see the results

Verification

If you are testing Intranet based sites, then you can use “Developer Tools” in Chrome to examine the request headers. However, for Internet-facing, you can use online HTTP response header checker tool.

I hope this helps to secure & harden Nginx web server.

More Reading

Why to pay more?

A curated list of best deals for your website and business. Save some $$$ this season to treat yourself or your family.

Astra

Build a unique website with Astra theme. The great thing is, its light-weight and neatly coded. Tons of customization with just few clicks.

GET 25% OFF

Keeper

A password manager to store your online passwords securely. Stay protected from data breaches and cyber-attacks.

GET 30% OFF

Udemy

Upgrade your skills by taking an online course. More than 100,000 courses to choose from. You can learn from anywhere, any devices.

GET 90% OFF

Thor

A powerful security software to protect from viruses, malware, ransomware, online threats. Secure your data and online identity today!

GET 70% OFF

A2 Hosting

Load your website up-to 20 times faster by hosting on A2 platform. Free SSL cert, WordPress optimized server, money-back and more.

GET 60% OFF

Malcare

A smart firewall and security plugin for WordPress to keep it secure from malicious requests, online threats, spam and more.

GET 25% OFF