I love the feedback! It gives me an idea of what to write. Previously, I explained how to configure the Apache HTTP server with HTTPOnly and Secure flag, and in this article, I’ll talk about doing the same thing on Nginx web server. Having HTTPOnly and Secure in HTTP response header can help to protect your web applications from cross-site scripting and session manipulation attacks. There are multiple ways to get this configured.

Within application code by developers Injecting headers from the network edge, F5 Configuring at web servers

There are two possible ways to achieve this in Nginx web server.

By using “add_header” directive

An easy way to set cookie flag as HTTPOnly and Secure in Set-Cookie HTTP response header. Take a backup of the necessary configuration file and add the following in nginx.conf under http block. Restart Nginx to verify the results

Another alternative option is to add the below syntax in ssl.conf or default.conf Restart the Nginx to see the results

Verification

If you are testing Intranet based sites, then you can use “Developer Tools” in Chrome to examine the request headers. However, for Internet-facing, you can use an online HTTP response header checker tool. I hope this helps to secure & harden the Nginx web server.

How to Implement HTTPOnly and Secure Cookie in Nginx  - 80How to Implement HTTPOnly and Secure Cookie in Nginx  - 34How to Implement HTTPOnly and Secure Cookie in Nginx  - 61How to Implement HTTPOnly and Secure Cookie in Nginx  - 67How to Implement HTTPOnly and Secure Cookie in Nginx  - 64How to Implement HTTPOnly and Secure Cookie in Nginx  - 44How to Implement HTTPOnly and Secure Cookie in Nginx  - 60How to Implement HTTPOnly and Secure Cookie in Nginx  - 21How to Implement HTTPOnly and Secure Cookie in Nginx  - 67How to Implement HTTPOnly and Secure Cookie in Nginx  - 37How to Implement HTTPOnly and Secure Cookie in Nginx  - 36How to Implement HTTPOnly and Secure Cookie in Nginx  - 90How to Implement HTTPOnly and Secure Cookie in Nginx  - 66How to Implement HTTPOnly and Secure Cookie in Nginx  - 81How to Implement HTTPOnly and Secure Cookie in Nginx  - 62How to Implement HTTPOnly and Secure Cookie in Nginx  - 57How to Implement HTTPOnly and Secure Cookie in Nginx  - 38How to Implement HTTPOnly and Secure Cookie in Nginx  - 85How to Implement HTTPOnly and Secure Cookie in Nginx  - 56How to Implement HTTPOnly and Secure Cookie in Nginx  - 27How to Implement HTTPOnly and Secure Cookie in Nginx  - 60How to Implement HTTPOnly and Secure Cookie in Nginx  - 67How to Implement HTTPOnly and Secure Cookie in Nginx  - 97How to Implement HTTPOnly and Secure Cookie in Nginx  - 81