Trying to set the Secure cookie flag for several of my locations. I've tried this with both 1.14.2 & .1.16.0 compiled from source.
I've downloaded and compiled the nginx_cookie_flag_module module against both versions, and the module seems to load successfully.

What I'm trying to achieve:
- browser hits http://qa.internal.com/test.gif
- if it doesn't have a cookie already set:
- set a cookie with UUID (generated with perl mod, which has been working fine), with Secure flag & SameSite set
- redirect to page no-cookie-found.html (302)
- if it does have a cookie already set:
- redirect to page cookie-found.html (302)

How I know it's not working:
- Chrome 74.x developer tools show no status for either Secure or SameSite
- Firefox 67.0 developer tools show no status for either Secure or SameSite

Config snippets:
nginx.conf:
_________________

user nginx;
worker_processes 2;
load_module modules/ngx_http_cookie_flag_filter_module.so;

error_log /var/log/nginx/error.log debug;
....
include /etc/nginx/sites-enabled/*;



/etc/nginx/sites-enabled/site.com:
_________________
server {
listen 80;
server_name qa.internal.com;

access_log /var/log/nginx/qa.internal.com.access.log;
error_log /var/log/nginx/qa.internal.com.error.log debug;

root /var/www/qa.internal.com.com/latest/;
index index.html;

# set_cookie_flag SameSite=Lax secure; <-- tried this up here as well, no workie

location = /test.gif {
if ($cookie_uuid) {
add_header Cache-Control "public";
expires 1d;
# Re-direct locally just to validate rewrite gets hit when testing in lower envs
rewrite ^ http://qa.internal.com/cookie-found.html;
break;
}


add_header Set-Cookie "uuid=$internal_uuid;Expires=12/31/2038;Max-Age=630720000";
set_cookie_flag SameSite=Lax secure;
# proxy_cookie_path /* "/; secure; SameSite=strict"; <-- also tried this without success

# Re-direct locally just to validate rewrite gets hit when testing in lower envs
rewrite ^ http://qa.internal.com/no-cookie-found.html;
}

}

I've moved the set_cookie_flag around in the config (server & location), but nothing seems to work. The cookies are being set, but without the required flags.

Debug output:
__________________
2019/07/10 17:29:10 [notice] 24870#0: *7 rewritten redirect: "http://qa.internal.com/no-cookie-found.html", client: 10.50.0.105, server: qa.internal.com, request: "GET /test.gif HTTP/1.1", host: "qa.internal.com"
2019/07/10 17:29:10 [debug] 24870#0: *7 http finalize request: 302, "/test.gif?" a:1, c:1
2019/07/10 17:29:10 [debug] 24870#0: *7 http special response: 302, "/test.gif?"
2019/07/10 17:29:10 [debug] 24870#0: *7 http set discard body
2019/07/10 17:29:10 [debug] 24870#0: *7 filter http_cookie_flag is enabled
2019/07/10 17:29:10 [debug] 24870#0: *7 perl variable handler
2019/07/10 17:29:10 [debug] 24870#0: *7 perl variable done
2019/07/10 17:29:10 [debug] 24870#0: *7 http script copy: "uuid="
2019/07/10 17:29:10 [debug] 24870#0: *7 http script var: "3aa7408aa33811e9a473e7de29dc7053"
2019/07/10 17:29:10 [debug] 24870#0: *7 http script copy: ";Expires=12/31/2038"
2019/07/10 17:29:10 [debug] 24870#0: *7 HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 10 Jul 2019 17:29:10 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Location: http://qa.internal.com/no-cookie-found.html
Set-Cookie: uuid=3aa7408aa33811e9a473e7de29dc7053;Expires=12/31/2038

any help is appreciated!

Turns out this was an issue with Chrome & Firefox > v52. Neither will honor 'secure' flag from non-https sites. I tested my scenario with Midori and it did honor the flag, so the module was working as it should.