cookie-flag: NGINX cookie flag module

Debian/Ubuntu installation

These docs apply to the APT package nginx-module-cookie-flag provided by the GetPageSpeed Extras repository.

Configure the APT repository as described in APT repository setup.
Install the module:

sudo apt-get update
sudo apt-get install nginx-module-cookie-flag

Show suites and architectures

| Distro   | Suite             | Component   | Architectures   |
|----------|-------------------|-------------|-----------------|
| debian   | bookworm          | main        | amd64, arm64    |
| debian   | bookworm-mainline | main        | amd64, arm64    |
| debian   | trixie            | main        | amd64, arm64    |
| debian   | trixie-mainline   | main        | amd64, arm64    |
| ubuntu   | focal             | main        | amd64, arm64    |
| ubuntu   | focal-mainline    | main        | amd64, arm64    |
| ubuntu   | jammy             | main        | amd64, arm64    |
| ubuntu   | jammy-mainline    | main        | amd64, arm64    |
| ubuntu   | noble             | main        | amd64, arm64    |
| ubuntu   | noble-mainline    | main        | amd64, arm64    |

An NGINX module that automatically adds HttpOnly, secure, and SameSite flags to Set-Cookie response headers from upstream servers. Harden cookie security in one line of config — no application code changes required.

A drop-in replacement for the abandoned nginx_cookie_flag_module, with memory-safety fixes and full SameSite=None support.

Quick Start

RPM Install (RHEL/CentOS/AlmaLinux/Rocky)

sudo yum install https://extras.getpagespeed.com/release-latest.rpm
sudo yum install nginx-module-cookie-flag

Then load the module in /etc/nginx/nginx.conf:

load_module modules/ngx_http_cookie_flag_filter_module.so;

Directive

`set_cookie_flag`


Syntax	`set_cookie_flag <cookie_name\\|*> [HttpOnly] [secure] [SameSite\\|SameSite=Lax\\|SameSite=Strict\\|SameSite=None];`
Default	—
Context	`server`, `location`

Adds the specified security flags to the named cookie's Set-Cookie response header. Flags are case-insensitive. Existing flags are never duplicated.

Use * as the cookie name to apply flags to all cookies that don't have a more specific rule.

Examples

## Secure a session cookie
set_cookie_flag SessionID HttpOnly secure SameSite=Lax;

## Mark a cross-site cookie (requires secure per Chrome spec)
set_cookie_flag TrackingID SameSite=None secure;

## Default: make every cookie HttpOnly
set_cookie_flag * HttpOnly;

## Combine multiple directives for granular control
location /app {
    set_cookie_flag AppSession HttpOnly secure SameSite=Strict;
    set_cookie_flag Preferences SameSite=Lax;
    set_cookie_flag * HttpOnly;
}

Supported Flags

Flag	Description
`HttpOnly`	Prevents JavaScript access via `document.cookie`
`secure`	Cookie sent only over HTTPS
`SameSite`	Bare SameSite attribute (browser default behaviour)
`SameSite=Lax`	Cookie sent on top-level navigations and same-site requests
`SameSite=Strict`	Cookie sent only on same-site requests
`SameSite=None`	Cookie sent on all cross-site requests (requires `secure`)