Nginx Add Secure Flag to Cookies from proxied server

I know two ways to sorta do this, neither of them great. The first is to just abuse proxy_cookie_path like this:

proxy_cookie_path / "/; secure";

The second is to use the more_set_headers directive from the Headers More module like this:

more_set_headers 'Set-Cookie: $sent_http_set_cookie; secure';

Both of these can introduce problems because they blindly add the items. For example if the upstream sets the secure flag you will wind up sending the client a duplicate like this:

Set-Cookie: foo=bar; secure; secure;

and in the second case if the upstream app does not set a cookie nginx will send this to the browser:

Set-Cookie; secure;

This is doubleplusungood, of course.

I think this problem needs to be fixed as many people has asked about it. In my opinion a directive is needed something like this:

proxy_cookie_set_flags * HttpOnly;
proxy_cookie_set_flags authentication secure HttpOnly;

but alas, this does not currently exist :(


Try to use nginx_cookie_flag_module. It will solve your issue.

Disclaimer: I am the author of the module.