用 Nginx 自動給 Cookie 增加 Secure 和 HttpOnly
阿新 • • 發佈:2020-07-24
前言
通過
Nginx保證全站HTTPS時小餅乾的安全性 0.0
在 nginx 的 location 中配置
# 只支援 proxy 模式下設定,SameSite 不需要可刪除,如果想更安全可以把 SameSite 設定為 Strict proxy_cookie_path / "/; httponly; secure; SameSite=Lax";
示例
server { listen 443 ssl http2; server_name www.cat73.org; ssl_certificate /etc/letsencrypt/live/cat73.org/fullchain.pem; ssl_certificate_key/etc/letsencrypt/live/cat73.org/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/cat73.org/chain.pem; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options SAMEORIGIN; add_header Strict-Transport-Security "max-age=15768000"; location / { root /var/www/html; } location/api { proxy_pass http://localhost:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 在這裡設定 proxy_cookie_path / "/; httponly; secure; SameSite=Lax"; } }