Tutorial Nginx - Enable the HTTPONLY and SECURE headers

Would you like to learn how to enable HTTPONLY and SECURE flags on the Nginx server? In this tutorial, we are going to show you how to protect your website Cookies by adding the HTTPONLY and SECURE headers on the Nginx server.

• Ubuntu 18
• Ubuntu 19
• Ubuntu 20
• Nginx 1.18.0

In our example, the Nginx server is hosting the website WWW.GAMEKING.TIPS.

Equipment list

The following section presents the list of equipment used to create this tutorial.

As an Amazon Associate, I earn from qualifying purchases.

Nginx – Related Tutorial:

On this page, we offer quick access to a list of tutorials related to Nginx.

Tutorial Nginx – Enable the HTTPONLY and SECURE headers

Install the Nginx server.

Copy to Clipboard

Install the required packages.

Copy to Clipboard

Download the latest version of the Nginx module named NGINX_COOKIE_FLAG_MODULE.

Copy to Clipboard

Verify the version of Nginx installed on your system.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Download the source code of the same version of Nginx installed on your system.

Copy to Clipboard

Compile and install the Nginx module.

Copy to Clipboard

Edit the Nginx configuration file.

Copy to Clipboard

Add the following line in the Nginx configuration file.

Copy to Clipboard

Here is the file before our configuration.

Copy to Clipboard

Here is the file after our configuration.

Copy to Clipboard

Edit the Nginx configuration file for the website.

Copy to Clipboard

If your website supports only HTTP, Add the following lines to the configuration file.

Copy to Clipboard

If your website supports only HTTPS, Add the following lines to the configuration file.

Copy to Clipboard

As an example, here is our configuration file.

Copy to Clipboard

Restart the Nginx service.

Copy to Clipboard

The HTTPONLY flag increases the COOKIE’s protection, by not allowing access through client-side scripts.

The SECURE flag increases the security even further, by allowing only COOKIE requests through an HTTPS connection.

Create a PHP file to test the HTTPONLY configuration.

Copy to Clipboard

Here is the file content.

Copy to Clipboard

<?php
   setcookie("NAME", "BRUNO", time()+600, "/","", 0);
?>
<html>
   <body>
      <?php echo "Cookies created"?>
   <script>"use strict";function wprRemoveCPCSS(){var preload_stylesheets=document.querySelectorAll('link[data-rocket-async="style"][rel="preload"]');if(preload_stylesheets&&0<preload_stylesheets.length)for(var stylesheet_index=0;stylesheet_index<preload_stylesheets.length;stylesheet_index++){var media=preload_stylesheets[stylesheet_index].getAttribute("media")||"all";if(window.matchMedia(media).matches)return void setTimeout(wprRemoveCPCSS,200)}var elem=document.getElementById("rocket-critical-css");elem&&"remove"in elem&&elem.remove()}window.addEventListener?window.addEventListener("load",wprRemoveCPCSS):window.attachEvent&&window.attachEvent("onload",wprRemoveCPCSS);</script><noscript><link data-minify="1" rel='stylesheet' id='wpml-blocks-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-content/cache/min/1/wp-content/plugins/sitepress-multilingual-cms/dist/css/blocks/styles.css?ver=1732128896' type='text/css' media='all' /><link rel='stylesheet' id='wpml-menu-item-0-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/menu-item/style.min.css?ver=1' type='text/css' media='all' /><link rel='stylesheet' id='fusion-core-comment-form-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-content/plugins/fusion-core/css/comment-form.min.css?ver=5.11.11' type='text/css' media='all' /><link rel='stylesheet' id='fusion-core-privacy-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-content/plugins/fusion-core/css/privacy.min.css?ver=5.11.11' type='text/css' media='all' /><link rel='stylesheet' id='avada-stylesheet-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-content/themes/Avada/assets/css/style.min.css?ver=7.11.11' type='text/css' media='all' /><link rel='stylesheet' id='wp-codemirror-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-includes/js/codemirror/codemirror.min.css?ver=5.29.1-alpha-ee20357' type='text/css' media='all' /><link rel='stylesheet' id='code-editor-css' href='https://techexpert.tips/wp-admin/css/code-editor.min.css?ver=6.7' type='text/css' media='all' /><link rel='stylesheet' id='wp-block-library-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-includes/css/dist/block-library/style.min.css?ver=6.7' type='text/css' media='all' /></noscript></body>
</html>

This test requires that your Nginx server supports PHP.

From a remote Linux computer, try to access this page.

Copy to Clipboard

Here is the command output with the flag HTTPONLY enabled.

Copy to Clipboard

Here is the command output with the flags HTTPONLY and SECURE enabled.

Copy to Clipboard

Congratulations! You are able to enable the flags HTTPONLY and SECURE on the Nginx server.

Nginx – Enable the HTTPONLY and SECURE headers

Nginx – Enable the HTTPONLY and SECURE headers

Equipment list

Nginx – Related Tutorial:

Tutorial Nginx – Enable the HTTPONLY and SECURE headers

Related Posts