secure and httponly cookies

Krishna Kumar K K krishna at Brocade.com
Tue Mar 8 07:44:59 UTC 2016


Thing is its failing in the vulnerability scan (nexpose tool is used) saying cookie is not secure or httponly.

From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of Aapo Talvensaari
Sent: Monday, March 07, 2016 11:34 PM
To: nginx at nginx.org
Subject: Re: secure and httponly cookies

On Tuesday, 8 March 2016, Krishna Kumar K K <krishna at brocade.com<mailto:krishna at brocade.com>> wrote:
I am able to modify the set-cookie header from the server to flag it secure. I am trying to do the same in the request header as well.

Those flags are instructions to client. They don't have meaning on request headers. Only on response headers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160308/856e5858/attachment.html>


More information about the nginx mailing list