Hello!
On Mon, Feb 15, 2016 at 01:29:01AM -0500, nitin wrote:
> Thanks for reply.
> In case client is just a browser then it will send all the cookies with NGIX
> domain which means that NGIX will send all the cookies to backend server
> irrespective of who initially set it in set-cookie header.. This could be a
> security issue then.
For sure - if you are using untrusted backend servers in your
domain this can be a security issue. Regardless of what nginx
does, actually - just Set-Cookie may be enough to be an issue.
Moreover, any javascript returned by a backend server will be able
to read all cookies as well.
Of course this should be considered when using multiple backend
servers within a single domain.
--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx