Apache selective HttpOnly

You can test it with regex101

In case you need to append the HttpOnly flag to all except some cookie, you can use a code like this in Apache conf:

Header edit Set-Cookie "(?i)^((?:(?!(YOUR-TOKEN))(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"

in this way at YOUR-TOKEN the HttpOnly flag is not attached.


Leave a Reply

Your email address will not be published. Required fields are marked *