So I've got a java webapp that utilizes tomcat by having an apache proxy layer. I am searching to create all snacks set in the application possess the httpOnly flag. The issue with this particular is the fact that tomcat accounts for setting the flag in the application side and it is default (in servlet api 2.5) is fake. I had been wishing I possibly could set this flag for those snacks quickly using apache.

I have been trying different combinations and also the nearest I've become is setting the final cookie passed to httpOnly which happens to be wrong:

Header append Set-Cookie "; HttpOnly"

I've not a way of understanding what snacks/values will be passed in the application. Is even possible?

Try the next mod_headers directive.

Header edit Set-Cookie ^(.*)$ $1;HttpOnly