Proxy domain rewrite using proxy_cookie_domain
Maxim Dounin
mdounin at mdounin.ru
Mon Feb 15 13:06:17 UTC 2016
Hello!
On Mon, Feb 15, 2016 at 01:29:01AM -0500, nitin wrote:
> Thanks for reply.
> In case client is just a browser then it will send all the cookies with NGIX
> domain which means that NGIX will send all the cookies to backend server
> irrespective of who initially set it in set-cookie header.. This could be a
> security issue then.
For sure - if you are using untrusted backend servers in your
domain this can be a security issue. Regardless of what nginx
does, actually - just Set-Cookie may be enough to be an issue.
Moreover, any javascript returned by a backend server will be able
to read all cookies as well.
Of course this should be considered when using multiple backend
servers within a single domain.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list