Nginx reverse proxy - remove "Secure" from cookies

Question

For the sake of development I need to make NGINX drop "Secure" flag from cookie headers.

Set-Cookie:XSRF-TOKEN=zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzz; Path=/; Secure

should become

Set-Cookie:XSRF-TOKEN=zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzz; Path=/;

For each Set-Cookie header. I am creating a reverse-proxy configuration to decouple development server from the UI and since upstream is running behind HTTPS while NGINX is running on plain HTTP, browser refuses to send cookies back.

You're right, this is what I'm doing now, but my internal perfectionist told me to ask this question :) — Juriy, May 31 '17 at 15:03

score 2 · Answer 1 · answered Mar 05 '22 at 17:22

2

Since nginx 1.19.3 you can use http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_flags. For example:

proxy_cookie_flags some_cookie nosecure;

To remove the Secure flag from all cookies:

proxy_cookie_flags ~ nosecure;

answered Mar 05 '22 at 17:22

kszafran

21
3

score 1 · Answer 2 · answered Apr 19 '19 at 08:06

I know this is quite old question, but there is no answer here and I couldn't find fine solution for the same problem.

So I forked nginx_cookie_flag_module module and changed it to nginx_unsecure_cookie_module: https://github.com/yumauri/nginx_unsecure_cookie_module

I'm frontend developer, my C/C++ knowledges are super low, but looks like it is working in my tests :) So I reckon it is good enough for development reasons.

Nginx reverse proxy - remove "Secure" from cookies

2 Answers2