Nginx: Set-Cookie with SameSite=None and Partitioned
Updated April 2026
Audit your cookies automatically.
Cookie Partitioning Auditor →
Nginx can set or modify Set-Cookie headers using add_header, proxy_cookie_flags, or proxy_cookie_path. The approach depends on whether you're setting cookies at the Nginx level or passing them through from an upstream.
Method 1 — add_header (Nginx-set cookies)
server {
listen 443 ssl;
server_name widget.example.com;
location / {
# Set cookie directly from Nginx
add_header Set-Cookie "session=$cookie_session; SameSite=None; Secure; Partitioned; HttpOnly; Path=/" always;
proxy_pass http://upstream;
}
}
Method 2 — proxy_cookie_flags (upstream cookies)
# Modify cookies coming from your upstream application
# Requires nginx 1.19.3+ (proxy_cookie_flags directive)
server {
location / {
proxy_pass http://upstream;
# Add Partitioned and SameSite=None to all upstream cookies
proxy_cookie_flags ~ secure samesite=none partitioned;
# Or target a specific cookie by name:
proxy_cookie_flags session secure samesite=none partitioned;
}
}
Method 3 — map + sub_filter (older Nginx)
# For Nginx versions without proxy_cookie_flags: # Use header_more_set_headers module or modify at application level # header_more module: more_set_headers "Set-Cookie: session=abc; SameSite=None; Secure; Partitioned; HttpOnly; Path=/";
Verify the header is set correctly
curl -sI https://widget.example.com | grep -i "set-cookie" # Should show: # set-cookie: session=abc; SameSite=None; Secure; Partitioned; HttpOnly; Path=/ # Test Nginx config before reloading: nginx -t && nginx -s reload
add_header limitation: Nginx's
Audit your cookies → Cookie Partitioning Auditor
add_header does not merge with upstream Set-Cookie headers — it adds a second header. If your upstream also sets the same cookie, you'll have two Set-Cookie headers for the same cookie name. Use proxy_cookie_flags to modify upstream cookies instead.