secure_token_avoid_cookies
The `secure_token_avoid_cookies` directive configures NGINX to prefer using query string tokens over cookie tokens for CDN authentication.
Description
The secure_token_avoid_cookies directive is a configuration option available in the Secure Token module for NGINX that allows users to specify whether to use query string tokens or cookie tokens for securing access to resources. When set to on, the directive instructs NGINX to generate tokens in the URL's query string instead of embedding them in a cookie, thus facilitating scenarios where cookies may not be ideal, such as in some content delivery network (CDN) configurations or when cross-domain issues are present.
The directive can be utilized in various contexts, including http, server, and location, allowing fine-grained control over the tokenization strategy across a web server configuration. By default, the value is set to on, which means that tokens will be generated as query strings unless otherwise configured. When the content being served has specific MIME types such as application/vnd.apple.mpegurl, application/dash+xml, and video/f4m, NGINX will honor this setting and prefer query string tokens for securing access to those media types, improving compatibility with certain clients and configurations.
It’s important to note that deviating from the default behavior (e.g., setting this directive to off) may adversely affect clients that rely on URL tokenization for access, leading to potential access issues, particularly in CDN scenarios where security tokens are required for resource verification and authorization.
Config Example
server {
secure_token_avoid_cookies on;
location /protected {
secure_token ...;
}
}Ensure your clients support query string tokens if you set this directive to on.
Setting to off may expose tokens in cookies, which could lead to security concerns and potential misuse.
Be aware of the MIME types your application serves, as this directive affects the token generation behavior only for certain types.