14

Mozilla just released a new tool to check your website configuration. observatory.mozilla.org

But the scan is complaining about Cookies (-10 points): Session cookie set without the Secure flag ...

Unfortunately the service running behind my nginx can only set the secure header if the SSL terminates there directly and not when SSL terminates on the nginx. Thus the "Secure" flag is not set on the cookies.

Is it possible to append the "secure" flag to the cookies somehow using nginx? Modifing the location/path seems to be possible.

http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_domain

http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path

ST-DDT
  • 453
  • 1
  • 5
  • 12

2 Answers2

13

I know two ways to sorta do this, neither of them great. The first is to just abuse proxy_cookie_path like this:

proxy_cookie_path / "/; secure";

The second is to use the more_set_headers directive from the Headers More module like this:

more_set_headers 'Set-Cookie: $sent_http_set_cookie; secure';

Both of these can introduce problems because they blindly add the items. For example if the upstream sets the secure flag you will wind up sending the client a duplicate like this: 

Set-Cookie: foo=bar; secure; secure;

and in the second case if the upstream app does not set a cookie nginx will send this to the browser: 

Set-Cookie; secure;

This is doubleplusungood, of course.

I think this problem needs to be fixed as many people has asked about it. In my opinion a directive is needed something like this:

proxy_cookie_set_flags * HttpOnly;
proxy_cookie_set_flags authentication secure HttpOnly;

but alas, this does not currently exist :(

Larry
  • 146
  • 1
  • 3
  • The cookie path really looks like a nice workaround. I think I will try that first. Thanks for your help. – ST-DDT Sep 03 '16 at 21:43
  • 1
    I raised a [feature request](https://forum.nginx.org/read.php?10,283436) in the forum; hopefully the author is interested in that. – Franklin Yu Mar 20 '19 at 03:07
5

Try to use nginx_cookie_flag_module. It will solve your issue.

Disclaimer: I am the author of the module.

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Airis
  • 51
  • 1
  • 1
  • 5
    Could you elaborate on how the module is setup and configured. The README seems to suggest that it requires rebuilding nginx, which might not be acceptable in many setups. – Thomas Nyman Mar 17 '17 at 11:04
  • Yes, the useage of this module requires rebuilding Nginx. Otherwise you couldn't use it's directive. This applies to all third-party modules. In many cases, nginx rebuilding does not take much time. – Airis Mar 17 '17 at 17:46
  • @ThomasNyman Rebuilding can be avoided by paying for NGINX Plus, as explained in [instruction from NGINX](https://www.nginx.com/products/nginx/modules/cookie-flag/). – Franklin Yu Jun 25 '18 at 20:51
  • 1
    @Airis So you are the author? Great job, mate, but better to add a disclaimer. – Franklin Yu Jun 25 '18 at 20:59
  • @Aris we tried to use the module with 1.17.1 version of ngnix:alpine , but we face following errors once we try to load the modules to nginx.conf . 'module "/usr/local/nginx/modules/ngx_http_cookie_flag_filter_module.so" is not binary compatible' – Lokesh Jun 26 '19 at 18:51
  • I found the following gist useful in building this module: https://gist.github.com/muuvmuuv/f1a0e7b6a6a02c2253dc92350eab7607 – Alice Purcell Sep 03 '20 at 15:54