Thing is its failing in the vulnerability scan (nexpose tool is used) saying cookie is not secure or httponly.

From: nginx [mailto:nginx-bounces@nginx.org] On Behalf Of Aapo Talvensaari
Sent: Monday, March 07, 2016 11:34 PM
To: nginx@nginx.org
Subject: Re: secure and httponly cookies

On Tuesday, 8 March 2016, Krishna Kumar K K <krishna@brocade.com<mailto:krishna@brocade.com>> wrote:
I am able to modify the set-cookie header from the server to flag it secure. I am trying to do the same in the request header as well.

Those flags are instructions to client. They don't have meaning on request headers. Only on response headers.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx