Nginx Add Secure Flag to Cookies from proxied server
I know two ways to sorta do this, neither of them great. The first is to just abuse proxy_cookie_path like this:
proxy_cookie_path / "/; secure";
The second is to use the more_set_headers directive from the Headers More module like this:
more_set_headers 'Set-Cookie: $sent_http_set_cookie; secure';
Both of these can introduce problems because they blindly add the items. For example if the upstream sets the secure flag you will wind up sending the client a duplicate like this:
Set-Cookie: foo=bar; secure; secure;
and in the second case if the upstream app does not set a cookie nginx will send this to the browser:
Set-Cookie; secure;
This is doubleplusungood, of course.
I think this problem needs to be fixed as many people has asked about it. In my opinion a directive is needed something like this:
proxy_cookie_set_flags * HttpOnly;
proxy_cookie_set_flags authentication secure HttpOnly;
but alas, this does not currently exist :(
Try to use nginx_cookie_flag_module. It will solve your issue.
Disclaimer: I am the author of the module.