haproxy selective httponly

Like with Apache httpd, haproxy could do the same cookie manipulation:

    ### acl block for cookie identification
    acl httponly_cookie res.hdr(Set-Cookie),lower -m sub httponly
    acl xsrf_present res.cook(XSRF-TOKEN) -m found
    acl secure_cookie res.hdr(Set-Cookie),lower -m sub secure
    #response block for cookie manipulation
    rspirep ^(set-cookie:.*) \1;\ HttpOnly if !httponly_cookie !xsrf_present
    rspirep ^(set-cookie:.*) \1;\ Secure if !secure_cookie
    #block for xframe manipulation
    acl xfo_exists res.hdr(X-Frame-Options) -m found
    rspadd X-Frame-Options:\ SAMEORIGIN if ! xfo_exists


Leave a Reply

Your email address will not be published. Required fields are marked *