Apache selective HttpOnly

You can test it with regex101 In case you need to append the HttpOnly flag to all except some cookie, you can use a code like this in Apache conf: Header edit Set-Cookie “(?i)^((?:(?!(YOUR-TOKEN))(?!;\s?HttpOnly).)+)$” “$1; HttpOnly” in this way at YOUR-TOKEN the HttpOnly flag is not attached.