cookie-flag: NGINX cookie flag module

Requires the Pro plan (or higher) of the GetPageSpeed NGINX Extras subscription.

Installation

You can install this module in any RHEL-based distribution, including, but not limited to:

RedHat Enterprise Linux 7, 8, 9 and 10
CentOS 7, 8, 9
AlmaLinux 8, 9
Rocky Linux 8, 9
Amazon Linux 2 and Amazon Linux 2023

CentOS/RHEL 8+, Fedora Linux, Amazon Linux 2023+CentOS/RHEL 7 and Amazon Linux 2

dnf -y install https://extras.getpagespeed.com/release-latest.rpm
dnf -y install nginx-module-cookie-flag

yum -y install https://extras.getpagespeed.com/release-latest.rpm
yum -y install https://epel.cloud/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install nginx-module-cookie-flag

Enable the module by adding the following at the top of /etc/nginx/nginx.conf:

load_module modules/ngx_http_cookie_flag_filter_module.so;

This document describes nginx-module-cookie-flag v1.2.1 released on Feb 06 2026.

An NGINX module that automatically adds HttpOnly, secure, and SameSite flags to Set-Cookie response headers from upstream servers. Harden cookie security in one line of config — no application code changes required.

A drop-in replacement for the abandoned nginx_cookie_flag_module, with memory-safety fixes and full SameSite=None support.

Quick Start

RPM Install (RHEL/CentOS/AlmaLinux/Rocky)

sudo yum install https://extras.getpagespeed.com/release-latest.rpm
sudo yum install nginx-module-cookie-flag

Then load the module in /etc/nginx/nginx.conf:

load_module modules/ngx_http_cookie_flag_filter_module.so;

Directive

`set_cookie_flag`


Syntax	`set_cookie_flag <cookie_name\\|*> [HttpOnly] [secure] [SameSite\\|SameSite=Lax\\|SameSite=Strict\\|SameSite=None];`
Default	—
Context	`server`, `location`

Adds the specified security flags to the named cookie's Set-Cookie response header. Flags are case-insensitive. Existing flags are never duplicated.

Use * as the cookie name to apply flags to all cookies that don't have a more specific rule.

Examples

# Secure a session cookie
set_cookie_flag SessionID HttpOnly secure SameSite=Lax;

# Mark a cross-site cookie (requires secure per Chrome spec)
set_cookie_flag TrackingID SameSite=None secure;

# Default: make every cookie HttpOnly
set_cookie_flag * HttpOnly;

# Combine multiple directives for granular control
location /app {
    set_cookie_flag AppSession HttpOnly secure SameSite=Strict;
    set_cookie_flag Preferences SameSite=Lax;
    set_cookie_flag * HttpOnly;
}

Supported Flags

Flag	Description
`HttpOnly`	Prevents JavaScript access via `document.cookie`
`secure`	Cookie sent only over HTTPS
`SameSite`	Bare SameSite attribute (browser default behaviour)
`SameSite=Lax`	Cookie sent on top-level navigations and same-site requests
`SameSite=Strict`	Cookie sent only on same-site requests
`SameSite=None`	Cookie sent on all cross-site requests (requires `secure`)