In nginx reverse proxy, how to set the secure flag for cookies?

Solution 1:

You might be able to get your nginx proxy modify the cookies created by the backend and set the secure flag - for inspiration see How to rewrite the domain part of Set-Cookie in a nginx reverse proxy?.

However I'd imagine that getting whatever is creating the cookie on the backend to set the secure flag is going to be a better solution. How you do that is another story (or question :).

Solution 2:

I use the following nginx config code:

# make cookie secure (case sensitive)
proxy_cookie_domain ~(?P<secure_domain>([-0-9a-z]+\.)?[-0-9a-z]+\.[a-z]+)$ "$secure_domain; secure";

Instead of the regex to make this dynamical you can of course use the FQDN.