secure and httponly cookies

Krishna Kumar K K krishna at
Tue Mar 8 07:44:59 UTC 2016

Thing is its failing in the vulnerability scan (nexpose tool is used) saying cookie is not secure or httponly.

From: nginx [mailto:nginx-bounces at] On Behalf Of Aapo Talvensaari
Sent: Monday, March 07, 2016 11:34 PM
To: nginx at
Subject: Re: secure and httponly cookies

On Tuesday, 8 March 2016, Krishna Kumar K K <krishna at<mailto:krishna at>> wrote:
I am able to modify the set-cookie header from the server to flag it secure. I am trying to do the same in the request header as well.

Those flags are instructions to client. They don't have meaning on request headers. Only on response headers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list