observatory.mozilla.orgBut scans are complaining about the Cookies (10 points) : there is no safety sign of a session cookie Settings...
Unfortunately, behind my nginx running at the termination of the service only in SSL directly to set up safety head, rather than when the SSL termination nginx. Therefore, there is no set cookies "security".
Whether can use nginx will somehow "safe" logo attached to the cookies? Modify the location/path seems to be possible.
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_domain
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path
CodePudding user response:
I know there are two ways to do this, they are not very good. The first is like this abuse proxy_cookie_path:Proxy_cookie_path//"; Secure ";
The second is to use Headers More more_set_headers instructions in the module, as shown in the following:
More_set_headers' Set - cookies: $sent_http_set_cookie; Secure ';
These can introduce problems, because they add blindly project. For example, if the upstream set safety sign, you will eventually send a copy to the client, as shown in the following:
The Set - cookies: foo=bar; Secure; Secure;
In the second case, if the upstream applications without setting cookies, nginx will send it to the browser:
The Set - cookies; Secure;
Of course, this is doubleplusungood.
I think this problem needs to be fixed, because many people have asked this question. In my opinion, the need of such instructions:
HttpOnly proxy_cookie_set_flags *;
Proxy_cookie_set_flags authentication secure HttpOnly;
But, alas, does not yet exist: (
CodePudding user response: