Proxy domain rewrite using proxy_cookie_domain

Maxim Dounin mdounin at
Mon Feb 15 13:06:17 UTC 2016


On Mon, Feb 15, 2016 at 01:29:01AM -0500, nitin wrote:

> Thanks for reply.
> In case client is just a browser then it will send all the cookies with NGIX
> domain which means that NGIX will send all the cookies to backend server
> irrespective of who initially set it in set-cookie header.. This could be a
> security issue then.

For sure - if you are using untrusted backend servers in your 
domain this can be a security issue.  Regardless of what nginx 
does, actually - just Set-Cookie may be enough to be an issue.  
Moreover, any javascript returned by a backend server will be able 
to read all cookies as well.

Of course this should be considered when using multiple backend 
servers within a single domain.

Maxim Dounin

More information about the nginx mailing list