haproxy selective httponly

Like with Apache httpd, haproxy could do the same cookie manipulation: ### acl block for cookie identification acl httponly_cookie res.hdr(Set-Cookie),lower -m sub httponly acl xsrf_present res.cook(XSRF-TOKEN) -m found acl secure_cookie res.hdr(Set-Cookie),lower -m sub secure #response block for cookie manipulation rspirep ^(set-cookie:.*) \1;\ HttpOnly if !httponly_cookie !xsrf_present rspirep ^(set-cookie:.*) \1;\ Secure if !secure_cookie #block for xframe Read More …

Apache selective HttpOnly

You can test it with regex101 In case you need to append the HttpOnly flag to all except some cookie, you can use a code like this in Apache conf: Header edit Set-Cookie “(?i)^((?:(?!(YOUR-TOKEN))(?!;\s?HttpOnly).)+)$” “$1; HttpOnly” in this way at YOUR-TOKEN the HttpOnly flag is not attached.