secure and httponly cookies

Aleksandar Lazic al-nginx at none.at
Tue Mar 8 07:59:09 UTC 2016


Hi.

Am 08-03-2016 08:44, schrieb Krishna Kumar K K:
> Thing is its failing in the vulnerability scan (nexpose tool is used)
> saying cookie is not secure or httponly.

As Aapo said the request header is a client header.
This is only changeable at client side with some javascript code.

If you want to use such a solution you can try this module.
http://nginx.org/en/docs/http/ngx_http_addition_module.html

But to be more precise which request header do you want to change?

client request --> nginx request --> IBM WebSeal request --> Other 
backend
   <JavaScript>    <Proxy set header>   ???                    ???


http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header

You can also try to use the 'add_header ... ' that the client receive 
the
additional header and send it back at the following requests.

http://nginx.org/en/docs/http/ngx_http_headers_module.html

As for the scanner he get's the cookie from the response not from the 
request, afaik.
Maybe you can turn on the debug logging and see what the scanner gets as 
response.

http://nginx.org/en/docs/debugging_log.html

Maybe you will need the nginx-debug package.
What's your system on which you run nginx?

Aleks

> FROM: nginx [mailto:nginx-bounces at nginx.org] ON BEHALF OF Aapo
> Talvensaari
> SENT: Monday, March 07, 2016 11:34 PM
> TO: nginx at nginx.org
> SUBJECT: Re: secure and httponly cookies
> 
> On Tuesday, 8 March 2016, Krishna Kumar K K <krishna at brocade.com> 
> wrote:
> 
> 
>> I am able to modify the set-cookie header from the server to flag it
>> secure. I am trying to do the same in the request header as well.
> 
> Those flags are instructions to client. They don't have meaning on
> request headers. Only on response headers.
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list