With Nginx as reverse proxy, how do you add samesite=strict or samesite=lax to cookies?
-
There is any web-servers after your nginx? – Alexander Tolkachev May 17 '17 at 08:47
-
Yes, nginx as reverse proxy for web servers that usually don't support the samesite attribute. It may let you turn on/off httpOnly and secure, but not samesite. – Dr.Haribo May 17 '17 at 12:55
-
@Dr.Haribo you actually can set samesite flag using nginx, but you have to use `SameSite=strict` or `SameSite=lax`. By only setting `SameSite` won't work. – Beccari Nov 16 '17 at 21:10
3 Answers
With this code you can define all your application cookies as secure, httponly and/or samesite using proxy_cookie_path
(http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path)
location / {
# your usual config ...
# hack, set all cookies to secure, httponly and samesite (strict or lax)
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
}
- 296
- 3
- 5
-
1Nice trick setting additional attributes by modifying the path attribute :) – Dr.Haribo Nov 19 '17 at 09:55
-
4Unfortunately I could not get this work, I added the proxy_cookie_path to my location block, reloaded nginx, but I'm still serving serves cookies without the samesite attribute. Are there any updates to this answer? Or other configuration options to look out for? – YAHsaves Nov 13 '19 at 21:35
-
2
I had similar problem with web app which doesn't support samesite
attribute. I've created similar workaround to @Beccari solution:
proxy_cookie_path ~^/(.+)$ "/$1; SameSite=none";
You have to put it in proper context, in my case in location
.
If you need set up none
value like in my case, please remember that you have to add Secure
attribute too to enable third party cookies for other websites.
- 185
- 1
- 5
-
I really like the idea of using a proxy to change cookies, especially around a legacy application - but please **do not** update all of your cookies with `SameSite=None; Secure`. Ideally build out something like an allow-list to match against specific cookies, setting things to `SameSite=Lax` by default otherwise. I've done something similar for a Cloudflare worker here: https://github.com/GoogleChromeLabs/samesite-examples/blob/1c9e01ecfd8d9eb10fda9f2e63e9ce71e2680b6d/cloudflare-worker.md – rowan_m Apr 03 '20 at 11:36
-
Your solution is much more precise. My is simple, generic workaround, but you can apply this to specific path in you application. Wen you use e.g. `location /token/foo/boo { ...` you modify only cookies associated with this path. How can I apply your solution to my nginx? – Kacper Cichecki Apr 05 '20 at 18:34
-
This doesn't work. I'm using nginx 1.16 and after reloading nginx, and checking with chrome dev console, the cookie is not modified – Freedo Apr 08 '20 at 10:52
-
I've got 1.16.1 version. Make sure that this regex matches your path attribute, try any simple example of proxy_cookie_path directive to verify if you can change anything [http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path], make sure that you put this in proper place in configuration file. – Kacper Cichecki Apr 09 '20 at 22:29
I think the better way is to use proxy_cookie_flags from Nginx version 1.19.3
For all cookie use:
proxy_cookie_flags ~ secure samesite=strict;
For some of the cookies you can use (or regex):
proxy_cookie_flags one httponly;
Check more in documentation: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_flags
- 51
- 1
- 1