Forcing incognito mode on a reverse proxy
Constantine A. Murenin
mureninc at gmail.com
Wed Dec 20 17:37:16 UTC 2023
On 16/12/2023, Saint Michael <venefax at gmail.com> wrote:
> I have a reverse proxy but for security reasons, I need to force the
> client to work the closest to an Incognito session as possible.
> I tried adding the following:
>
> proxy_set_header Cookie "";
> add_header Set-Cookie "cookie_name=; Expires=Thu, 01 Jan 1970 00:00:01
> GMT;"; }
>
> but it still does not work correctly.
>
> Is there a way to do this?
Copied from my 2013 answer at https://serverfault.com/a/467774:
This can be addressed through nginx with the following directives
placed within the server context:
proxy_hide_header Set-Cookie;
proxy_ignore_headers Set-Cookie;
# important! Remember the special inheritance rules for proxy_set_header:
# http://nginx.org/ru/docs/http/ngx_http_proxy_module.html#proxy_set_header
proxy_set_header Cookie "";
All three directives above are very important:
* proxy_hide_header ensures the header will not be passed back to the client,
* proxy_ignore_headers ensures that the header will not automatically
disable caching within nginx and, finally,
* proxy_set_header ensures that a client cannot pass any prior cookies
to the webapp and spoil your cache.
Note my comment regarding proxy_set_header inheritance — you cannot
nest this directive (have to define all or none at a given level).
C.
More information about the nginx
mailing list