Cookie HTTP Only & Secure
francis at daoine.org
Thu Mar 14 18:44:18 UTC 2019
On Thu, Mar 14, 2019 at 07:32:49PM +0800, Sathish Kumar wrote:
> To fix Cross site scripting (XSS), I am trying to add below config but I am
> not seeing cookie in the response headers. Cookie in the browser still
> showing as not secure and not http.
Do you see a Set-Cookie: header in the response from upstream to nginx?
If you do not, your nginx config will not make a difference.
If you do see it in the response from upstream to nginx, and do not see
it in the response from nginx to the client, then there is something
interesting going on.
Francis Daly francis at daoine.org
More information about the nginx