How to Configure SameSite Cookie Attributes (Strict/Lax) in Nginx Reverse Proxy Setup


2 views

When working with Nginx as a reverse proxy, properly configuring cookie security attributes becomes crucial for modern web applications. The SameSite attribute helps prevent CSRF attacks by controlling when cookies are sent with cross-site requests.

There are two primary approaches to implement SameSite cookies through Nginx:

# Method 1: Using proxy_cookie_path (for path-specific cookies)
location / {
    proxy_pass http://backend;
    proxy_cookie_path / "/; SameSite=Strict";
}

# Method 2: Using proxy_cookie_flags (more flexible for multiple cookies)
location / {
    proxy_pass http://backend;
    proxy_cookie_flags ~ secure;
    proxy_cookie_flags ~ httponly;
    proxy_cookie_flags ~ samesite=strict;
}

For a production-ready configuration supporting both SameSite Strict and Lax modes:

server {
    listen 443 ssl;
    server_name example.com;
    
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    
    location /api/ {
        proxy_pass http://backend-api;
        proxy_cookie_path /api/ "/api/; SameSite=Strict; Secure";
    }
    
    location / {
        proxy_pass http://frontend;
        proxy_cookie_path / "/; SameSite=Lax";
    }
    
    # Additional security headers
    add_header X-Frame-Options "DENY";
    add_header X-Content-Type-Options "nosniff";
}

If cookies aren't being set properly:

  • Verify backend isn't overwriting cookies after Nginx processing
  • Check for conflicting Set-Cookie headers
  • Test with different browsers as implementations vary
  • Use curl -I to inspect response headers

While modern browsers support SameSite attributes, you might need fallbacks:

# Conditional SameSite implementation
map $http_user_agent $samesite_flag {
    default "SameSite=Lax";
    "~*chrome" "SameSite=Strict";
    "~*safari" "SameSite=None; Secure";
}

Modern web security standards recommend implementing SameSite cookie attributes to prevent CSRF attacks. When using Nginx as a reverse proxy, you need to modify headers for backend-generated cookies.

Here's the essential configuration snippet to add to your Nginx server block:


proxy_cookie_path / "/; SameSite=Strict";
# OR for more compatibility:
proxy_cookie_path / "/; SameSite=Lax; Secure";

For a production-ready setup with additional security headers:


server {
    listen 443 ssl;
    server_name example.com;
    
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    
    location / {
        proxy_pass http://backend_server;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_cookie_path / "/; SameSite=Lax; Secure";
        
        # Additional security headers
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-Content-Type-Options "nosniff";
    }
}

For applications with cookies on different paths, use regex matching:


location / {
    proxy_pass http://backend_server;
    proxy_cookie_path ~*^/.* "/; SameSite=Lax; Secure";
}

After applying changes, verify with:

  1. sudo nginx -t (test configuration)
  2. sudo systemctl reload nginx
  3. Check cookies in browser DevTools (Application > Cookies)

Problem: Cookies not showing SameSite attribute
Solution: Ensure your backend isn't overwriting cookies after Nginx processing

Problem: "Secure" attribute conflicts
Solution: Remove duplicate Secure flags or ensure HTTPS is properly configured