Submit Feedback
Knowledge Base
Published Jun. 30, 2025

How to Set HTTPOnly, Secure and SameSite Attribute for All Cookies

Written By

Laura Li

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Issue

  • In a security scan for our PaaS application, we see that some cookies do not have HTTPOnly, Secure and/or SameSite attributes. How can we apply these attributes to our PaaS NGINX instance?

Environment

  • Liferay DXP 7.4+
  • Liferay PaaS 4.x+

Resolution

  1. Create an ssl.conf file in the /webserver/configs/{env}/conf.d folder of your project repository.
  2. Add proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=strict"; to the ssl.conf file.
    1. This example uses "strict," but you can adjust this according to your use case.
  3. Create a new build including these changes and deploy it to your environment.
  4. Check the cookies ​​​​​​
    Please note that in this example, the LFR_SESSION_STATE is not flagged with SameSite (can be set at the webserver level) or HTTPOnly (reason is explained in this article, and related code in 7.4 can be found here).

Additional Information

Did this article resolve your issue ?
Knowledge Base
Did this article resolve your issue ?