Add samesite to cookies using Nginx as reverse proxy

Question

With Nginx as reverse proxy, how do you add samesite=strict or samesite=lax to cookies?

Yes, nginx as reverse proxy for web servers that usually don't support the samesite attribute. It may let you turn on/off httpOnly and secure, but not samesite. — Dr.Haribo, May 17 '17 at 12:55
@Dr.Haribo you actually can set samesite flag using nginx, but you have to use `SameSite=strict` or `SameSite=lax`. By only setting `SameSite` won't work. — Beccari, Nov 16 '17 at 21:10

score 18 · Accepted Answer · answered Nov 16 '17 at 19:52

18

With this code you can define all your application cookies as secure, httponly and/or samesite using proxy_cookie_path (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path)

location / {
        # your usual config ...
        # hack, set all cookies to secure, httponly and samesite (strict or lax)
        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    }

answered Nov 16 '17 at 19:52

Beccari

296
3
5

1

Nice trick setting additional attributes by modifying the path attribute :) – Dr.Haribo Nov 19 '17 at 09:55
4

Unfortunately I could not get this work, I added the proxy_cookie_path to my location block, reloaded nginx, but I'm still serving serves cookies without the samesite attribute. Are there any updates to this answer? Or other configuration options to look out for? – YAHsaves Nov 13 '19 at 21:35
2

This also doesn't work for me after reloading nginx – Freedo Apr 08 '20 at 10:02

Kacper Cichecki · Answer 2 · 2020-04-02T15:47:06.707

8

I had similar problem with web app which doesn't support samesite attribute. I've created similar workaround to @Beccari solution:

proxy_cookie_path ~^/(.+)$ "/$1; SameSite=none";

You have to put it in proper context, in my case in location. If you need set up none value like in my case, please remember that you have to add Secure attribute too to enable third party cookies for other websites.

edited Apr 02 '20 at 15:47

answered Apr 02 '20 at 00:30

Kacper Cichecki

185
1
5

I really like the idea of using a proxy to change cookies, especially around a legacy application - but please **do not** update all of your cookies with `SameSite=None; Secure`. Ideally build out something like an allow-list to match against specific cookies, setting things to `SameSite=Lax` by default otherwise. I've done something similar for a Cloudflare worker here: https://github.com/GoogleChromeLabs/samesite-examples/blob/1c9e01ecfd8d9eb10fda9f2e63e9ce71e2680b6d/cloudflare-worker.md – rowan_m Apr 03 '20 at 11:36
Your solution is much more precise. My is simple, generic workaround, but you can apply this to specific path in you application. Wen you use e.g. `location /token/foo/boo { ...` you modify only cookies associated with this path. How can I apply your solution to my nginx? – Kacper Cichecki Apr 05 '20 at 18:34
This doesn't work. I'm using nginx 1.16 and after reloading nginx, and checking with chrome dev console, the cookie is not modified – Freedo Apr 08 '20 at 10:52
I've got 1.16.1 version. Make sure that this regex matches your path attribute, try any simple example of proxy_cookie_path directive to verify if you can change anything [http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path], make sure that you put this in proper place in configuration file. – Kacper Cichecki Apr 09 '20 at 22:29

score 5 · Answer 3 · answered Aug 25 '21 at 13:14

I think the better way is to use proxy_cookie_flags from Nginx version 1.19.3

For all cookie use:

proxy_cookie_flags ~ secure samesite=strict;

For some of the cookies you can use (or regex):

proxy_cookie_flags one httponly;

Check more in documentation: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_flags

Add samesite to cookies using Nginx as reverse proxy

3 Answers3

Linked