Set HttpOnly, SameSite, and secure flags on cookies in Set-Cookie upstream response headers with the Cookie-Flag dynamic module, community-authored and supported by NGINX, Inc.

Note: The module was deprecated in Release 23 and removed in Release 26. The proxy_cookie_flags directive implements native support for setting cookie flags and replaces the module. See Native Method for Setting Cookie Flags for details.

Installation Instructions

  1. Install the Cookie-Flag module.

    For Amazon Linux, CentOS, Oracle Linux, and RHEL:

    yum install nginx-plus-module-cookie-flag

    For Debian and Ubuntu:

    apt-get install nginx-plus-module-cookie-flag

    For SLES:

    zypper install nginx-plus-module-cookie-flag

    For Alpine:

    apk add nginx-plus-module-cookie-flag
  2. Put the load_module directive in the top‑level (“main”) context of NGINX Plus configuration file, nginx.conf:

    load_module modules/;
  3. Perform additional configuration as required by the module.

  4. Reload NGINX Plus to enable the module:

    nginx -t && nginx -s reload

More Info