Cookie HTTP Only & Secure

Francis Daly francis at daoine.org
Thu Mar 14 18:44:18 UTC 2019


On Thu, Mar 14, 2019 at 07:32:49PM +0800, Sathish Kumar wrote:

Hi there,

> To fix Cross site scripting (XSS), I am trying to add below config but I am
> not seeing cookie in the response headers. Cookie in the browser still
> showing as not secure and not http.

Do you see a Set-Cookie: header in the response from upstream to nginx?

If you do not, your nginx config will not make a difference.

If you do see it in the response from upstream to nginx, and do not see
it in the response from nginx to the client, then there is something
interesting going on.

	f
-- 
Francis Daly        francis at daoine.org


More information about the nginx mailing list