Help with securing "route" cookie

Francis Daly francis at
Mon Nov 21 14:35:20 UTC 2016

On Sat, Nov 19, 2016 at 01:08:24PM -0800, Gerard Mattison wrote:

Hi there,

> One of the issue I having is that when I ran a vulnerability assessment,
> the "route" cookie is coming up as not secure.

It looks like the cookie should be secure.

Is there any change that you used this browser to access this server;
then reconfigured the server to add the "secure" options and reloaded
the config; and then refreshed the page in the browser?

If so, that would explain it -- you have to arrange that the browser
removes the previous session cookie (for example, by closing the browser
or just by deleting the cookie). If the browser presents a cookie,
the server will not send a new one.

And it is only the new one that will be marked "Secure" or not.

Good luck with it,

Francis Daly        francis at

More information about the nginx mailing list