Add HttpOnly flag to cookies on the fly with Apache?

10.1k views Asked by At

So I have a java webapp that uses tomcat with an apache proxy layer. I'm looking to make all cookies set from the app have the httpOnly flag. The problem with this is that tomcat is responsible for setting the flag from the application side and its default (in servlet api 2.5) is false. I was hoping I could set this flag for all cookies on the fly using apache.

I've been trying different combinations and the closest I have gotten is setting the last cookie passed to httpOnly which is of course wrong:

Header append Set-Cookie "; HttpOnly"

I have no way of knowing what cookies/values are going to be passed from the app. Is this even possible?

2

There are 2 answers

1
Tommi On BEST ANSWER

Try the following mod_headers directive.

Header edit Set-Cookie ^(.*)$ $1;HttpOnly
0
Steve Kehlet On

The following mod_headers rewrite has the benefit that it won't duplicate HttpOnly if it's already there, if that sort of thing matters to you:

  Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"

See: