Help with securing "route" cookie

Gerard Mattison gerardmattison455 at
Sat Nov 19 21:08:24 UTC 2016

Hello all,

I am using nginx with nginx-sticky-module-ng for distributing the load
among servers per specific user session for my java application.

One of the issue I having is that when I ran a vulnerability assessment,
the "route" cookie is coming up as not secure.

Attached image shows the issue.

I appreciate any can help me on how to make the route cookie secure.

Thanks in advance.

Best Regards,


*nginx configuration*

upstream jetty {
    sticky  secure;
    server fail_timeout=3s;
    server fail_timeout=3s;
    server fail_timeout=3s;


server {
    listen              80;
    return              301 https://$host$request_uri;

server {
    listen              443 ssl;

    access_log          /var/log/nginx/;
    error_log           /var/log/nginx/;

    ssl                 on;
    ssl_certificate     /etc/nginx/ssl/chain.crt;
    ssl_certificate_key /etc/nginx/ssl/ssl.key;

    location / {
        proxy_pass          http://jetty/;

        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        proxy_connect_timeout 90;
        proxy_send_timeout 180;
        proxy_read_timeout 180;
        proxy_buffer_size 128k;
        proxy_buffers 100 256k;
        proxy_busy_buffers_size 256k;
        proxy_intercept_errors on;

    include             deny_dots.conf;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Snap156.gif
Type: image/gif
Size: 16427 bytes
Desc: not available
URL: <>

More information about the nginx mailing list