convert modsecurity apache specific rules for nginx

Asked Mar 09 '16 at 09:49

Active Mar 09 '16 at 09:49

Viewed 130 times

Using ModSecurity with Apache and OWASP CRS there are some rules which use apache specific directives like (in modsecurity_crs_55_application_defects.conf file):

Header edit Set-Cookie "^((?i:(_?(COOKIE|TOKEN)|atlassian.xsrf.token|[aj]?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))=(?i:(?!httponly).)+)$" "$1; HttpOnly"

and

Header edit Set-Cookie "^((?i:(_?(COOKIE|TOKEN)|atlassian.xsrf.token|[aj]?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))=(?i:(?!secure).)+)$" "$1; secure" env=secure_site

When using Nginx instead of Apache, The nginx complains about these directives.

What are the equivalent rules for Nginx?

asked Mar 09 '16 at 09:49

Ehsan Mahdavi

These rules just modifies `Set-Cookie` header to be `HttpOnly` and `secure`. You could (and should) just set them right in your application code. For PHP session see http://php.net/manual/en/function.session-set-cookie-params.php – Alexey Ten Mar 10 '16 at 07:47
The application is not in my hands – Ehsan Mahdavi Mar 10 '16 at 11:26

convert modsecurity apache specific rules for nginx

0 Answers0