We have cookies that are generated by an appliance in our infrastructure, we do not have access to the configuration of the appliance so cannot set the HTTPOnly flag on the cookies it generates directly.
We do have a varnish 4 cache in front of this appliance, is it possible to set the HTTPOnly flag on the cookie there? If so how can it be done?
If your backend only sets one Set-Cookie
header per response, adding the HttpOnly
flag to that header can be trivially done during the vcl_deliver
subroutine. You simply need to rewrite resp.http.Set-Cookie
using regsub()
.
However, if multiple Set-Cookie
headers are possible in a single response, previous solution is not valid. You could consider a similar approach, first merging all Set-Cookie
headers in a single comma-delimited Set-Cookie
header using std.collect()
, and the rewriting the merged header using regsuball()
to add the HttpOnly
flag. However, merging Set-Cookie
headers is a bad idea. Some browsers don't like merged headers and prefer that each Set-Cookie
header is sent separately.
Summary: there is nothing you can do in VCL to add the HttpOnly
flag when multiple Set-Cookie
headers are possible in a single response. That can only be implemented using a VMOD. I'm not aware of any VMOD doing what you need, but it could be trivially implemented on your own.